and prevented. Hope that's helpful.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Dean H.
Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a
sort
Yes, Seth, technically you are correct. But there
is a better way
and prevented. Hope that's helpful.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Dean H.
Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a
sort
Yes, Seth, technically you
Subject: Re: [ACFUG Discuss] cfqueryparam in a
sort
Yes, Seth, technically you are correct. But there
is a better way
here. Instead of passing the sort column name
directly from the
user, send a proxy value for the order by clause.
In other words,
identify the different order
Sent: Friday, July 27, 2007 8:40 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
How does that provide any security? Unless you validate the data,
you are
subject to SQL injection.
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
Great spirits have often
, which I don't think
the CFARGUMENT datatype protection will do. Anyone know more?
/charlie
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Friday, July 27, 2007 8:40 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam
!
:-)
/charlie
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, July 27, 2007 10:23 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Good catch Charlie... guess my morning coffee hadn't kicked
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Good catch Charlie... guess my morning coffee hadn't kicked in yet!
Parameterization doesn't actually escape anything. It forces the DB to
parse the query independently of the data, produce an execution plan and
then plug the data
.
/charlie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Yes, Seth, technically you are correct. But there is a better way here.
Instead
Seth, it may help to show your SQL so we know for sure what you're asking. I
can't see how using CFQUERYPARAM for the value of a WHERE clause would
affect in any way an ability to SORT. Now, are you sorting in the same
CFQUERY using the CFQUERYPARAM? Or might this be a Query of Query sort of
that
From: Charlie Arehart [mailto:[EMAIL PROTECTED]
Sent: Monday, July 23, 2007 1:42 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
Seth, it may help to show your SQL so we know for sure what you're
asking. I
: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Small, Lewis
B.
Sent: Monday, July 23, 2007 2:45 PM
To: Charlie Arehart; discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
cfquery name=Recordset datasource=db1
SELECT * From Sheet1 where
Sent: Monday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
OK, as I had surmised, you're using the CFQueryParam in the SORT
itself. I know this works (doesn't give an error, in 7 or
before), but it doesn't do what you want, right? I ran
12 matches
Mail list logo