Shawn
asked on
CFQUERYPARAM and order by
Concerning protection against injection I'm a little confused when I should protect the ORDER by clause. Does the query below need to be changed to protect the order by part? If so what to?
...
SELECT container, language, active, lastedit, title, contentID
FROM contentItems
WHERE (active= <CFQUERYPARAM Value=1>)
ORDER BY container, language
</cfquery>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for the clarification. It's taken a little while to wrap it all around my head. Moving up from Access to SQL server is great but my head is still spinninig a little :-)
thanks for the pointer. I updated all vulnerable queries with a tool that didn't specify type. The type is boolean so I suppose this should be it.
WHERE (active= <CFQUERYPARAM cfsqltype="cf_sql_bit" Value="1">)
thanks for the pointer. I updated all vulnerable queries with a tool that didn't specify type. The type is boolean so I suppose this should be it.
WHERE (active= <CFQUERYPARAM cfsqltype="cf_sql_bit" Value="1">)
> Moving up from Access to SQL server is great but my head is still spinninig a little :-)
Yes, but you will love it as soon as you get your bearings ;-)
Yes, but you will love it as soon as you get your bearings ;-)
ASKER
I'm already starting to...so many possibilities.
I am assuming that is just psuedo-code. Otherwise, the value should be quoted and the
correct "cfsqltype" included (integer, bit, etc..)
WHERE active = <CFQUERYPARAM Value="1" cfsqltype="cf_sql_integer"