I'd change the select * to a specific list of columns, and replace the
'%... with a cfqueryparam as you well know.
On 9/11/07, Les Mizzell [EMAIL PROTECTED] wrote:
I'm working my way through some legacy sites that have queries that need
a little securing from SQL injection attacks. Most of
I guess I'm a little unclear on how to use a like with cfqueryparam.
I'd change the select * to a specific list of columns, and replace the
'%... with a cfqueryparam as you well know.
On 9/11/07, Les Mizzell [EMAIL PROTECTED] wrote:
I'm working my way through some legacy sites that have
Just LIKE this, sorry could not resist:
WHERE pa_name like cfqueryparam value='%#form.pa_name#%'...
~|
Check out the new features and enhancements in the
latest product release - download the What's New PDF now
You should be able to straight up replace the part after like with a
cfqueryparam. Keep the percent signs in and everything.
-Original Message-
From: Les Mizzell [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 11, 2007 11:22 AM
To: CF-Talk
Subject: How to protect this query?
I'm
WHERE pa_name like cfqueryparam value='%#form.pa_name#%'...
The percent signs aren't escaped? I thought they were and it wouldn't work.
I haven't tested this - let me check. Seems too simple, huh?
~|
ColdFusion is delivering
: Re: How to protect this query?
I guess I'm a little unclear on how to use a like with cfqueryparam.
I'd change the select * to a specific list of columns, and replace the
'%... with a cfqueryparam as you well know.
On 9/11/07, Les Mizzell [EMAIL PROTECTED] wrote:
I'm working my way
Nope, in this case it is just that simple, actually with a lot of CF
it's just simple, thats why we all love it after all! :-)
~|
Check out the new features and enhancements in the
latest product release - download the What's
7 matches
Mail list logo