Then what Maureen was suggesting was what I was actually trying to avoid. I guess there's no easy solution. As far as what you're suggesting, the cfqueryparam tag will be processed when the string is constructed. How can you enter it into the string as straight text to be processed later?
Thanks, Rich On Aug 4, 2008, at 2:05 AM, Jerry Johnson wrote: > when building the string > > parameter1='A' AND parameter2='B' > > build it the way you want to run it. > > parameter1=<cfqueryparam value='A'> AND parameter2=<etc> > > since you are building the string, Maureen was suggesting you run > through > your stored WHERE value, and place 'A' (a known string after an = > sign) into > a cfqueryparam. loop through the WHERE clause, finding all the name/ > value > pairs. > > I am going a step further, and suggesting maybe you should include the > cfqueryparams in the WHERE string before you store it to the db > > > > > On Mon, Aug 4, 2008 at 1:57 AM, Rich <[EMAIL PROTECTED]> wrote: > >> I don't follow. >> >> >> On Aug 4, 2008, at 12:50 AM, Maureen wrote: >> >>> Parse the storedstring and put everything after your comparsion as >>> the >>> value of cfqueryparm. >>> >>> On Sun, Aug 3, 2008 at 7:59 PM, Rich <[EMAIL PROTECTED]> wrote: >>>> Hi. I'm using cfqueryparam with any dynamic cfquery tag. However, >>>> in >>>> one case, I'm storing the "WHERE" conditions in a user account so >>>> that >>>> the user can call up the last search he did. So I construct the >>>> string (e.g. parameter1='A' AND parameter2='B'...) and when I store >>>> that finished string, I use cfqueryparam. However, what if code >>>> for >>>> an SQL injection is entered there. Although it will not be >>>> executed >>>> when it is stored, it could be executed when it is called up later: >>>> >>>> <cfquery... >>>> SELECT * FROM Table1 >>>> WHERE #storedString# >>>> </cfquery> >>>> >>>> The only thing I can think of is dynamically building the string in >>>> the WHERE clause and inserting the appropriate cfqueryparam tag for >>>> each parameter. Seems pretty cumbersome. Are there any other >>>> solutions? >>>> >>>> Thanks, >>>> >>>> Rich >> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/SQL/message.cfm/messageid:3114 Subscription: http://www.houseoffusion.com/groups/SQL/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.6
