If you're on CF9+, then you can do what you want: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSe9cbe5cf462523a0693d5dae123bcd28f6d-7ffb.html
You can also duplicate this concept in earlier versions of ColdFusion. I actually built an implementation for CF8 (probably would work in CF7 too) that also fixed some of the bugs/issues w/the CF9 implementation due to how they parse out the params (but it uses the same syntax.) Unfortunately, I can't share the code, but the basic idea is you just parse the SQL statement and then inside a <cfquery> statement you walk through the parsed string, outputting the straight text or implementing <cfqueryparam /> when you come to a parameter statement. -Dan On Fri, Jun 8, 2012 at 4:06 AM, Helwig, Till Helge <till.hel...@saxsys.de>wrote: > > Hi guys, > > I'm working on a very old CF application at the moment. When it was first > created, apparently nobody cared about sanitizing SQL statements. There are > lots of SQL queries in the code and most don't use <cfqueryparam>, which I > would like to change whenever I stumble upon one of these. However, there > is a slight problem: In many places the query statement is being assembled > outside of <cfquery> by various functions and then there is only <cfquery > ...>#sql#</cfquery> in the code. > > Is there any way to make CF use bind variables in SQL statements apart > from <cfqueryparam>, which obviously is not allowed outside of <cfquery>? > I'm thinking about the flexibility in Java where you can just use ":foo" in > statement strings and then provide a parameter map to the query. And if > there isn't...how do you deal with situations like this? > > > Till Helge > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351504 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
