Just wanted to add another thought on this thread from earlier in the week. The issue was that Seth wanted to make his ORDER BY clause to be driven by a user-entered variable (in his case, a form radio button selecting the field to sort by), and he found that CFQUERYPARAM wasn't working for that (because it's designed for substituting values in a WHERE clause, not table.or column names.) Dean's proposal of using a number to do the sorting is indeed a useful one, but I thought of something that none of us mentioned. Since you know that the list of columns is a limited set, you could also keep it the simpler way of passing in the column names (if you needed to for some reason), but always compare the input field name against the set of valid columns to sort by. That way, any nefarious attempt by a user to inject extra SQL statements will be detected and prevented. Hope that's helpful. /charlie
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe Sent: Monday, July 23, 2007 4:52 PM To: discussion@acfug.org Subject: Re: [ACFUG Discuss] cfqueryparam in a sort Yes, Seth, technically you are correct. But there is a better way here. Instead of passing the sort column name directly from the user, send a proxy value for the order by clause. In other words, identify the different order by clauses by numeric value, 1, 2, 3, 4, etc. In the query you would include a <cfswitch> and the cases would be the different numeric values. These would then define what the ORDER by value would be. No more SQL injection and no need to much around with <cfqueryparam> here, either. -dhs Dean H. Saxe, CISSP, CEH [EMAIL PROTECTED] "Great spirits have often encountered violent opposition from weak minds." --Einstein On Jul 23, 2007, at 4:46 PM, Tepfer, Seth wrote: Aren't dynamic ORDER BY variables just as susceptible to SQL injection as WHERE clauses? ------------------------------------------------------------- Annual Sponsor FigLeaf Software - http://www.figleaf.com To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
