While cleaning up some sql injection problems, I found I had
to rewrite how the inserts were working.
I do not know in advance what fields need to be populated for
inserts so I mad a generic function
to make my inserts.
<cffunction name="insertIntoTable" access="private"
returntype="void">
<cfargument name="table" type="string" required="yes">
<cfargument name="datasource" type="string"
required="yes">
<cfargument name="keyValSet" type="struct"
required="yes">
<cfset var keyList = structKeyList(keyValSet)>
<cfset var curKey = "">
<cfset var curVal = "">
<cfset var comma = "">
<cfset var insertIntoTable = "">
<cfquery datasource="#datasource#"
name="insertIntoTable">
insert into #table# (#keyList#)
values (<cfloop list="#keyList#"
index="curKey">#comma#<cfset comma = ","><cfset curVal
= trim(keyValSet[curKey])><cfif len(curVal) eq
0><cfqueryparam null="yes"><cfelse><cfqueryparam
value="#curVal#"></cfif></cfloop>)
</cfquery>
<cfreturn>
</cffunction>
I know before this call is made that the table names and the
keylist is clean.
I found that I could not simply use a <cfqueryparam
list="yes" ...> as some of
the entries may be null.
My current problem is when someone enters Joe's Crab Shack
into a form field
the corresponding data record results in Joe''s Crab Shack.
I found a hotfix for CF MX 6.1 with something that sounded
similar, however
we are running CF 7.02 on redhat. The db server is an old MS
SQL Server (8.00).
2
Replies
AdChoices