Dean.
Just being clear.
This is what we get when two people strive to be very clear all the
time!
:-)
/charlie
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, July 27, 2007 10:23 AM
To: discussion@acfug.org
Subject:
MAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Friday, July 27, 2007 10:23 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Good catch Charlie... guess my morning coffee hadn't kicked in yet!
Parameterization doesn't actually escape anything. It forces
MAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, July 27, 2007 8:40 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
How does that provide any security? Unless you validate the data,
you are
subject to SQL injection.
Dean H. S
27, 2007 8:40 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
How does that provide any security? Unless you validate the data, you are
subject to SQL injection.
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"Great spirits have often encountered violent opposition fr
pful.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Dean H.
Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a
sort
Yes, Seth, technically you are correct. But there
is a better way
here. Instead
gt; > useful one, but I thought of something that none
> > of us mentioned.
> > >
> > > Since you know that the list of columns is a
> > limited set, you could
> > > also keep it the simpler way of passing in the
> > column names (if you
> > >
us attempt by a user to inject extra SQL
> statements will be
> > detected and prevented. Hope that's helpful.
> >
> > /charlie
> >
> >
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Dean H.
> > Saxe
> > Sent: Monday, J
Yep, more and more refinement. :-)
/charlie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Thursday, July 26, 2007 10:13 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Charlie,
Good idea. Actually the
ject extra SQL statements will be
detected and prevented. Hope that's helpful.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Yes, Set
that's
helpful.
/charlie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Yes, Seth, technically you are correct. But there is a better
nday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
OK, as I had surmised, you're using the CFQueryParam in the SORT
itself. I know this "works" (doesn't give an error, in 7 or
before), but it doesn't do what you wa
ific experience?
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Small, Lewis
B.
Sent: Monday, July 23, 2007 2:45 PM
To: Charlie Arehart; discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
S
From: Charlie Arehart [mailto:[EMAIL PROTECTED]
Sent: Monday, July 23, 2007 1:42 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
Seth, it may help to show your SQL so we know for sure what you're
aski
rt of
that previous CFQUERY?
/charlie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tepfer, Seth
Sent: Monday, July 23, 2007 12:28 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: [ACFUG Discuss] cfqueryparam in a sort
We have an MSAccess db, and have a dy
We have an MSAccess db, and have a dynamic sort with cfqueryparam.
When I use the actual field (fname), the query sorts correctly. When I
use the cfqueryparam, it does not sort - even though the debug says the
field fname was sent correctly.
Does cfqueryparam make sort not work?
Thanks
s
15 matches
Mail list logo