The 2nd query won't allow anyone to perform a sql injection attack against the database, although it's possible that using #ColNames# or #preserveSingleQuotes(ColValues)# in this example might.
> Keep in mind that most other databases (besides SQL > Server) don't allow > you to send two queries with at once like this. It's very > insecure, > because of sql injection possibilities. But since you > guys are all > talking about MS SQL, this works fine. :) >> -----Original Message----- >> From: Pete Ruckelshaus [mailto:[EMAIL PROTECTED] >> Sent: Monday, April 03, 2006 9:03 PM >> >> You are correct. >> >> Moreover, a better solution would be something like this >> (assuming SQL Server): >> >> <cftransaction> >> <cfquery name="qInsertData" >> datasource="#APPLICATION.dsn#"> >> INSERT INTO t_doctors (#ColNames#) >> VALUES >> (#preserveSingleQuotes(ColValues)#); >> SELECT SCOPE_IDENTITY() AS newpkey; >> </cfquery> >> </cftransaction> s. isaac dealey 434.293.6201 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://www.fusiontap.com http://coldfusion.sys-con.com/author/4806Dealey.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:236882 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
