We just write queries as nornal, and let the jdbc driver deal with the N...
So all our queries are like
<cfquery>
SELECT *
FROM foo
WHERE bar = <cfqueryparam ... />
</cfquery>
Magnus Wege wrote:
Hello,
I have a question concerning the escaping of strings, especially the char '
which can and do cause some SQL injection if not escaped.
The Problem is: using a getter-method without escaping in a sql query causes
an error and allows SQL injection!
<cfquery ....>
UDPATE Table SET sName = '#oObject.getName()#'
</cfquery>
IS NOT SECURE, BECAUSE OF THE USE OF A FUNCTION!
Therefore I would like to prefer the usage of <cfqueryparam> but I
encountered again a problem with Unicode characters because the N is not
allowed, e.g. is an error: N<cfqueryparam ... />
Of course you can enable Unicode for each datasource in the ColdFusion
Administrator individually. I am just curious about the just implemented
N'#myvar#' Statements in existing SQL Statements?
Is there any best practice on this issue?
Any help is appreciated... thx in advance
PS: Development environment: we use CFMX 6.1
Magnus
web-shuttle AG,
Munich, Germany
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
[email protected] with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at
www.mail-archive.com/[email protected]
--
Haikal Saadh, Applications Programmer
Teaching and Learning Support Services
K405, Queensland University of Technology, Kelvin Grove Campus
[EMAIL PROTECTED], 3864 8633
CRICOS No. 00213J
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
[email protected] with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
CFCDev is supported by New Atlanta, makers of BlueDragon
http://www.newatlanta.com/products/bluedragon/index.cfm
An archive of the CFCDev list is available at
www.mail-archive.com/[email protected]
