when building the string parameter1='A' AND parameter2='B'
build it the way you want to run it. parameter1=<cfqueryparam value='A'> AND parameter2=<etc> since you are building the string, Maureen was suggesting you run through your stored WHERE value, and place 'A' (a known string after an = sign) into a cfqueryparam. loop through the WHERE clause, finding all the name/value pairs. I am going a step further, and suggesting maybe you should include the cfqueryparams in the WHERE string before you store it to the db On Mon, Aug 4, 2008 at 1:57 AM, Rich <[EMAIL PROTECTED]> wrote: > I don't follow. > > > On Aug 4, 2008, at 12:50 AM, Maureen wrote: > > > Parse the storedstring and put everything after your comparsion as the > > value of cfqueryparm. > > > > On Sun, Aug 3, 2008 at 7:59 PM, Rich <[EMAIL PROTECTED]> wrote: > >> Hi. I'm using cfqueryparam with any dynamic cfquery tag. However, > >> in > >> one case, I'm storing the "WHERE" conditions in a user account so > >> that > >> the user can call up the last search he did. So I construct the > >> string (e.g. parameter1='A' AND parameter2='B'...) and when I store > >> that finished string, I use cfqueryparam. However, what if code for > >> an SQL injection is entered there. Although it will not be executed > >> when it is stored, it could be executed when it is called up later: > >> > >> <cfquery... > >> SELECT * FROM Table1 > >> WHERE #storedString# > >> </cfquery> > >> > >> The only thing I can think of is dynamically building the string in > >> the WHERE clause and inserting the appropriate cfqueryparam tag for > >> each parameter. Seems pretty cumbersome. Are there any other > >> solutions? > >> > >> Thanks, > >> > >> Rich > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/SQL/message.cfm/messageid:3113 Subscription: http://www.houseoffusion.com/groups/SQL/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.6
