why not <cfqueryparam> ? <cfqueryparam cfsqltype="CF_SQL_CHAR" value="#url.name#">
As I understand it, this creates a Local sql variable with a char datatype out of your url variable. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 8:35 PM To: CF-Talk Subject: RE: How do I do a SQL insertion attack? So what is the best way to prevent an attack when you need to accept a string? How would you make a query like this safe? <cfquery name="qIDs" Datasource="dsn"> SELECT * FROM names WHERE name = '#url.name#' </cfquery> I have always avoided using anything but ids in a query, but recently I have needed to use a query like this. What I did was to check the URL variable for keywords like delete,drop,ect.. But is there a better way? ~DM = = = Original message = = = Check out this article by Ben Forta: http://www.macromedia.com/desdev/articles/ben_forta_faster.html == Peter Tilbrook ColdFusion Applications Developer Defence Housing Authority 26 Brisbane Ave Barton ACT 2600 AUSTRALIA Ph: 02 6217 8444 Fax: 02 6217 8500 Website: www.dha.gov.au ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
