> Thanks for the link. I see that you authored this article. Very well > laid out. I understand SQL Injection and qhy to use CFQUERYPARAM. > What I did not see in the article was how to take a CFSET statement > that builds a SQL String and put CFQUERYPARAMS into it and make it > work. > > Like: > > <cfset theSQL = "SELECT queryName, title, content FROM content WHERE > queryName = '<cfqueryparam cfsqltype="cf_sql_varchar" value="#URL.queryName#" > >'" > > > How does one accomplish this?
You can't really do it like that... you can never put cf tags inside a string literal and have them work (except in the case of code generation, which isn't what you want). (Also the double-quotes would need to be escaped ("") in order to embed them in a string.) The reason why the cfquery tag has an end-tag however is actually to eliminate the need to build sql statements using string literals like this. So normally you would use this: <cfquery ...> SELECT queryName, title, content FROM content WHERE queryName = <cfqueryparam cfsqltype="cf_sql_varchar" value="#URL.queryName#" /> </cfquery> Note that when you use a cfqueryparam tag you omit the single-quotes around the parameter. The parameter will handle the quotes for you if they're needed. Having said that, the DataFaucet ORM actually does use a technique which allows it to have just one pair of cfquery tags in the entire framework, which behaves similarly to what you're describing. They don't work on a string literal however, they work on an array which contains some strings and some structures, where the structures contain the attributes that will go into cfqueryparam tags. That looks similar to this: <cfquery ...> <cfloop index="x" from="1" to="#ArrayLen(sql)#"> <cfif isStruct(sql[x])> <cfqueryparam attributecollection="#sql[x]#" /> <cfelse> #preserveSingleQuotes(sql[x])# </cfif> </cfloop> </cfquery> Other mechanisms within the ORM framework help to prevent SQL injection -- with just a small number of rules to follow regarding the things you should not do with the ORM to prevent opening yourself to attacks. -- s. isaac dealey ^ new epoch isn't it time for a change? ph: 781.769.0723 http://onTap.riaforge.org/blog ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317694 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4