Hi. I'm using cfqueryparam with any dynamic cfquery tag. However, in one case, I'm storing the "WHERE" conditions in a user account so that the user can call up the last search he did. So I construct the string (e.g. parameter1='A' AND parameter2='B'...) and when I store that finished string, I use cfqueryparam. However, what if code for an SQL injection is entered there. Although it will not be executed when it is stored, it could be executed when it is called up later:
<cfquery... SELECT * FROM Table1 WHERE #storedString# </cfquery> The only thing I can think of is dynamically building the string in the WHERE clause and inserting the appropriate cfqueryparam tag for each parameter. Seems pretty cumbersome. Are there any other solutions? Thanks, Rich ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/SQL/message.cfm/messageid:3110 Subscription: http://www.houseoffusion.com/groups/SQL/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.6
