I don't follow.
On Aug 4, 2008, at 12:50 AM, Maureen wrote: > Parse the storedstring and put everything after your comparsion as the > value of cfqueryparm. > > On Sun, Aug 3, 2008 at 7:59 PM, Rich <[EMAIL PROTECTED]> wrote: >> Hi. I'm using cfqueryparam with any dynamic cfquery tag. However, >> in >> one case, I'm storing the "WHERE" conditions in a user account so >> that >> the user can call up the last search he did. So I construct the >> string (e.g. parameter1='A' AND parameter2='B'...) and when I store >> that finished string, I use cfqueryparam. However, what if code for >> an SQL injection is entered there. Although it will not be executed >> when it is stored, it could be executed when it is called up later: >> >> <cfquery... >> SELECT * FROM Table1 >> WHERE #storedString# >> </cfquery> >> >> The only thing I can think of is dynamically building the string in >> the WHERE clause and inserting the appropriate cfqueryparam tag for >> each parameter. Seems pretty cumbersome. Are there any other >> solutions? >> >> Thanks, >> >> Rich >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/SQL/message.cfm/messageid:3112 Subscription: http://www.houseoffusion.com/groups/SQL/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.6
