U should use in every query when u try to retrieve or update or insert data into a field of type String(I mean varchar, nvarchar, etc...) the function replace(Strvalue, "'","''")
Regards, PD: This developer mistake let to the attacker one simple SQL data injection in u Data Base. -- M. Sc. Hassan Arteaga Rodríguez Microsoft Certified System Engineer WEB Programmer. Network Admin [EMAIL PROTECTED] http://www.enmicuba.com -----Original Message----- From: James Johnson [mailto:[EMAIL PROTECTED] Sent: Monday, July 14, 2003 11:53 AM To: CF-Talk Subject: Encrypt() putting single quote in string, causes SQL error when trying to SELECT Hi, Have an interesting problem. I'm using Encrypt() to store sensitive user data in SQL Server. On some strings, the function is encrypting with a single quote as one of the chars. This is causing a SQL error when I'm trying to either enter or retrieve the data with cfquery. Has anyone run across this problem? Can anyone offer a workaround? Thanks, James ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
