> You are quite correct.
>
> Jochem's example will wind up with all the DROP TABLE junk in the text
> field.
Read again what I wrote about C-style escaping. Or just test it.
> If you try that against a numeric field, then you wind up with invalid
> SQL which will throw an error.
Correct.
> Besides, shouldn't there be some data validation before you get to the
> stage of running the query????? Or am I just weird?
Either that, or you should use cfqueryparam.
Jochem
--
I don't get it
immigrants don't work
and steal our jobs
- Loesje
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
