how to prevent coldfusion sql-injection on order by clause

Question

Since cfqueryparam doesn't work in an order by, would using xmlformat stop sql injections?

ORDER BY #xmlformat(myVariable)#

Thanks,

Answer 1

http://www.petefreitag.com/item/677.cfm

A good way to get around this limitation is to use the ListFindNoCase function, to limit the sortable column names, for example:

<cfset sortable_column_list = "age,height,weight,first_name">
<cfquery ...>
  SELECT first_name, age, height, weight
  FROM people
  ORDER BY <cfif ListFindNoCase(sortable_column_list, url.sort_column)>#url.sort_column#<cfelse>first_name</cfif>
</cfquery>