> Thanks for the link. I see that you authored this article. Very well
> laid out. I understand SQL Injection and qhy to use CFQUERYPARAM.
> What I did not see in the article was how to take a CFSET statement
> that builds a SQL String and put CFQUERYPARAMS into it and make it
> work.
>
> Like:
>
> <cfset theSQL = "SELECT queryName, title, content FROM content WHERE
> queryName = '<cfqueryparam cfsqltype="cf_sql_varchar" value="#URL.queryName#"
> >'" >
>
> How does one accomplish this?
You can't really do it like that... you can never put cf tags inside a
string literal and have them work (except in the case of code generation,
which isn't what you want). (Also the double-quotes would need to be
escaped ("") in order to embed them in a string.)
The reason why the cfquery tag has an end-tag however is actually to
eliminate the need to build sql statements using string literals like
this. So normally you would use this:
<cfquery ...>
SELECT queryName, title, content FROM content
WHERE queryName =
<cfqueryparam cfsqltype="cf_sql_varchar" value="#URL.queryName#" />
</cfquery>
Note that when you use a cfqueryparam tag you omit the single-quotes
around the parameter. The parameter will handle the quotes for you if
they're needed.
Having said that, the DataFaucet ORM actually does use a technique which
allows it to have just one pair of cfquery tags in the entire framework,
which behaves similarly to what you're describing. They don't work on a
string literal however, they work on an array which contains some
strings and some structures, where the structures contain the attributes
that will go into cfqueryparam tags. That looks similar to this:
<cfquery ...>
<cfloop index="x" from="1" to="#ArrayLen(sql)#">
<cfif isStruct(sql[x])>
<cfqueryparam attributecollection="#sql[x]#" />
<cfelse>
#preserveSingleQuotes(sql[x])#
</cfif>
</cfloop>
</cfquery>
Other mechanisms within the ORM framework help to prevent SQL injection
-- with just a small number of rules to follow regarding the things you
should not do with the ORM to prevent opening yourself to attacks.
--
s. isaac dealey ^ new epoch
isn't it time for a change?
ph: 781.769.0723
http://onTap.riaforge.org/blog
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317694
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
