Hi guys, I'm working on a very old CF application at the moment. When it was first created, apparently nobody cared about sanitizing SQL statements. There are lots of SQL queries in the code and most don't use <cfqueryparam>, which I would like to change whenever I stumble upon one of these. However, there is a slight problem: In many places the query statement is being assembled outside of <cfquery> by various functions and then there is only <cfquery ...>#sql#</cfquery> in the code.
Is there any way to make CF use bind variables in SQL statements apart from <cfqueryparam>, which obviously is not allowed outside of <cfquery>? I'm thinking about the flexibility in Java where you can just use ":foo" in statement strings and then provide a parameter map to the query. And if there isn't...how do you deal with situations like this? Till Helge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351503 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
