Hi. I am about to use a user-input string in the where clause of a SQL query. I know, yikes. Unfortunately, there is a wide variety of valid characters, from numbers to letters to punctuation. So, I want to remove (or at least escape out) any characters which are not allowed. I have already screened for blatant attacks, so that should be covered. But at this point, I want to make sure that (for example) someone's innocent entry of: I am trying to access the database, but I can't get in there. ..doesn't terminate the where clause at the apostrophe in "can't". My first thought is to remove the problematic special characters. So my first question: are these the only special characters that I need to worry about: in cases such as WHERE ColumnName = '#CFVariable#' or WHERE ColumnName = #CFVariable# ' ; in cases such as WHERE ColumnName LIKE '#CFVariable#' or WHERE ColumnName LIKE #CFVariable# ' ; _ & The second question: is there some smarter way to do this than simply removing the characters? In other words, is there some equivalent of HTMLEditFormat for SQL? CFQUERYPARAM keeps the wrong data from going in, but is there some convenient way of coding and uncoding SQL special characters? Thanks, Matthieu ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
