WHERE pa_name like <cfqueryparam cfsqltype="cf_sql_varchar" value="%#form.pa_name#%" />
..:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -----Original Message----- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 11, 2007 12:34 PM To: CF-Talk Subject: Re: How to protect this query? I guess I'm a little unclear on how to use a "like" with cfqueryparam. > I'd change the select * to a specific list of columns, and replace the > '%... with a cfqueryparam as you well know. > > > On 9/11/07, Les Mizzell <[EMAIL PROTECTED]> wrote: >> I'm working my way through some legacy sites that have queries that >> need a little securing from SQL injection attacks. Most of them >> simply need cfqueryparam added. But, what's "best practice" for the simple query below? >> >> >> <cfquery name="getPA" >> datasource="#request.datasource#" >> username="#request.username#" >> password="#request.password#"> >> SELECT * FROM pa >> WHERE pa_name like '%#form.pa_name#%' >> </cfquery> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:288170 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
