Dynamic table name from Arguments in <cfquery />

Forum|Forum|16 years ago
March 20, 2009
1 reply
527 views

I'm trying to use dynamic table names in a cfc but seem to have hit upon a wall as my calling methods from flash keep hitting my _error methods - Code attached to show what I'm trying to achieve; if anyone can give me some pointers it would be a great help. I've seen numerous by using the Form with the arguments but this is coming into a gateway used by a flash component and doesn't work no matter how much I fiddle the code.

Thanks in advance

This topic has been closed for replies.

B

B_BezAuthor

Participant

<cfset var_Table = '#Arguments.tableName#' > seems to have fixed it nvm

-

-__cfSearching__-

Inspiring

> this is coming into a gateway used by a flash component

Then you should make certain you VAR scope all of the function local variables (including query names) to avoid race conditions.

> SELECT * FROM #var_Table# WHERE `Object` = '#var_eNo#'

That is a sql injection attack just waiting to happen ...

A

Anonymous

There was a time when I needed a dynamic query such as this. BUT, it is very dangerous, which is why I took a few steps to make it more secure.

1. Always use cfqueryparam and strict datatyping
2. Use listFindNoCase for known table names in the database e.g

<cfset variables.tableNames = "items,products,categories,blog" />
<cfif listContainsNoCase(variables.tableNames,lCase(trim(arguments.tableName)),",")>
query here
<cfelse>
Error: Unknown table requested
</cfif>

Mikey

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded