<p>Since cfqueryparam doesn't work in an order by, would using xmlformat stop sql injections?</p> <pre class="prettyprint"><code>ORDER BY #xmlformat(myVariable)# </code></pre> <p>Thanks,</p>

how to prevent coldfusion sql-injection on order by clause

Tags:

sql

coldfusion

sql-injection

Since cfqueryparam doesn't work in an order by, would using xmlformat stop sql injections?

ORDER BY #xmlformat(myVariable)#

Thanks,

843

asked Feb 24 '23 10:02

Mike Henke

1 Answers

http://www.petefreitag.com/item/677.cfm

A good way to get around this limitation is to use the ListFindNoCase function, to limit the sortable column names, for example:

<cfset sortable_column_list = "age,height,weight,first_name">
<cfquery ...>
  SELECT first_name, age, height, weight
  FROM people
  ORDER BY <cfif ListFindNoCase(sortable_column_list, url.sort_column)>#url.sort_column#<cfelse>first_name</cfif>
</cfquery>

142

answered Mar 04 '23 05:03

Mike Henke

Recent Activity
Apple Pay - authorize.net returns error 153 only when live, sandbox works
How to continue cursor loop even error occured in the loop
python find all neighbours of a given node in a list of lists
Fatal error: Call to a member function setColumn() on a non-object in Magento
Count how many of each value from a field with MySQL and PHP
Python 32-bit development on 64-bit Windows [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

how to prevent coldfusion sql-injection on order by clause

Tags:

sql

coldfusion

sql-injection

Mike Henke

1 Answers

Mike Henke

Related questions

Recent Activity

Donate For Us