Parse the storedstring and put everything after your comparsion as the value of cfqueryparm.
On Sun, Aug 3, 2008 at 7:59 PM, Rich <[EMAIL PROTECTED]> wrote: > Hi. I'm using cfqueryparam with any dynamic cfquery tag. However, in > one case, I'm storing the "WHERE" conditions in a user account so that > the user can call up the last search he did. So I construct the > string (e.g. parameter1='A' AND parameter2='B'...) and when I store > that finished string, I use cfqueryparam. However, what if code for > an SQL injection is entered there. Although it will not be executed > when it is stored, it could be executed when it is called up later: > > <cfquery... > SELECT * FROM Table1 > WHERE #storedString# > </cfquery> > > The only thing I can think of is dynamically building the string in > the WHERE clause and inserting the appropriate cfqueryparam tag for > each parameter. Seems pretty cumbersome. Are there any other > solutions? > > Thanks, > > Rich > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/SQL/message.cfm/messageid:3111 Subscription: http://www.houseoffusion.com/groups/SQL/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.6
