Alternative for using SQL bind parameters

Hi guys, I'm working on a very old CF application at the moment. When it was first created, apparently nobody cared about sanitizing SQL statements. There are lots of SQL queries in the code and most don't use <cfqueryparam>, which I would like to change whenever I stumble upon one of these. However, there is a slight problem: In many places the query statement is being assembled outside of <cfquery> by various functions and then there is only <cfquery ...>#sql#</cfquery> in the code. Is there any way to make CF use bind variables in SQL statements apart from <cfqueryparam>, which obviously is not allowed outside of <cfquery>? I'm thinking about the flexibility in Java where you can just use ":foo" in statement strings and then provide a parameter map to the query. And if there isn't...how do you deal with situations like this? Till Helge

If you're on CF9+, then you can do what you want: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSe9cbe5cf462523a0693d5dae123bcd28f6d-7ffb.html You can also duplicate this concept in earlier versions of ColdFusion. I actually built an implementation for CF8 (probably would work in CF7 too) that also fixed some of the bugs/issues w/the CF9 implementation due to how they parse out the params (but it uses the same syntax.) Unfortunately, I can't share the code, but the basic idea is you just parse the SQL statement and then inside a <cfquery> statement you walk through the parsed string, outputting the straight text or implementing <cfqueryparam /> when you come to a parameter statement. -Dan On Fri, Jun 8, 2012 at 4:06 AM, Helwig, Till Helge <till.helwig@saxsys.de>wrote: ----- Excess quoted text cut - see Original Post for more -----