Btw cfqueryparam id not actually there to protect against sql injection, rather it is for paramatising queries to create execution plans for better performance. You can validate data in various ways before using in your query to achieve the same result, such as cfparam, which will sometimes be better than relying on.cfqueryparam which may in fact reduce performance sometimes. Protecting against sql injection also requires more than simply validating datatypes, relying on cfqueryparam to do this will only protect you from the basic drive by injections that rely on numeric fields accepting strings, not advanced injections which can be done on any text field.
Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Mar 5, 2013 7:05 PM, "Byron Mann" <byronos...@gmail.com> wrote: > > Not concerned with the sql syntax as much as I am about not using > cfqueryparam. > > Please please please take the time to convert every query you have to use > that. > > Based on your cfarguments and db permissions for your dsn, a bad bad user > might be able to delete everything from your database. > > Byron Mann > Lead Engineer & Architect > HostMySite.com > On Mar 5, 2013 11:48 AM, "Rick Faircloth" <r...@whitestonemedia.com> > wrote: > > > > > <cfquery name = "qGetAllPropertiesAndOpenHouses" > > datasource="#arguments.real_estate_dsn#"> > > > > select substring_index(p.mls_number, '_', 1) as p.mls_number, > > p.street_number, p.street_name, p.city, p.state, > > oh.mls_number, oh.date, oh.start_time, oh.end_time, > > oh.host_name > > > > from properties p > > > > left join fortstewart.open_houses oh > > on substring_index(p.mls_number, '_', 1) = oh.mls_number > > > > where p.listing_office_mls_id = > > '#arguments.listing_office_mls_id#' > > order by p.street_name, p.street_number > > > > </cfquery> > > > > I keep getting a CF error stating I have a syntax error on this line: > > > > where p.listing_office_mls_id = > > '#arguments.listing_office_mls_id#' > > > > > > Anything? > > > > Thanks! > > > > Rick > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354835 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
