RE: [CFCDev] CFC Functions Escaping ' using methods

[Roland Collins]

There’s also PreserveSingleQuotes for those occasions that cfqueryparam just isn’t possible…I believe it does exactly what Magnus is looking for.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jared Rypka-Hauer - CMG, LLC Sent: Thursday, July 07, 2005 8:49 PM To: CFCDev@cfczone.org Subject: Re: [CFCDev] CFC Functions Escaping ' using methods   Magnus, Use cfqueryparam and don't bother trying to do all the escaping with hand-written code. Otherwise you could possibly use UrlEncodedFormat(string) to convert any extraneous code characters, HtmlCodeFormat or HtmlEditFormat, or others to encode your data before saving it to the DB... But still, you're WAY better off to use cfqueryparam instead of trying to roll your own escaping mechanism. Laterz, J On 7/5/05, Magnus Wege <[EMAIL PROTECTED]> wrote: Hello, I have a question concerning the escaping of strings, especially the char ' which can and do cause some SQL injection if not escaped. The Problem is: using a getter-method without escaping in a sql query causes an error and allows SQL injection! <cfquery ....> UDPATE Table SET sName = '#oObject.getName()#' </cfquery> IS NOT SECURE, BECAUSE OF THE USE OF A FUNCTION! Therefore I would like to prefer the usage of <cfqueryparam> but I encountered again a problem with Unicode characters because the N is not allowed, e.g. is an error: N<cfqueryparam ... /> Of course you can enable Unicode for each datasource in the ColdFusion Administrator individually. I am just curious about the just implemented N'#myvar#' Statements in existing SQL Statements? Is there any best practice on this issue? Any help is appreciated... thx in advance PS: Development environment: we use CFMX 6.1 Magnus web-shuttle AG, Munich, Germany ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org -- --------------- ------------------------------------- Buy SQLSurveyor! http://www.web-relevant.com/sqlsurveyor Never make your developers open Enterprise Manager again. ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org ---------------------------------------------------------- You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email. CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com). CFCDev is supported by New Atlanta, makers of BlueDragon http://www.newatlanta.com/products/bluedragon/index.cfm An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org