Matt, When I did the security analysis for my site, I did come to this same conclusion. I still--because I am a paranoid worrywart--clean the numerics coming in, but yes, I think that it's safe to say that CFQUERYPARAM with cfsqltype=cf_sql_numeric will make input scrubbing unnecessary, whereas cfsqltye=cf_sql_varchar MAY not. I am sure of the former (the CF documentation indicates this somewhat plainly, if I remember correctly), but not so sure of the latter.
In my mind, though, you still scrub the code for cfsqltye=cf_sql_varchar. Here's my logic: even if CFQUERYPARAM allows you to safely use this variable in a WHERE clause: Variables.MyVariable="EMPID; DROP TABLE EMPLOYEES;" ..do you really want to leave that value in your database? So my thinking is, scrub away on those cases. With the numeric version, the offending text never gets to the db, so I think that it's safer to not scrub. Hope this helps, Matthieu -----Original Message----- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Monday, September 02, 2002 4:24 PM To: CF-Talk Subject: cfqueryparam and scrubbing form inputs In the past I've used the CodeCleaner custom tag to scrub form inputs. Recently I've expanded my use of CFQUERYPARAM to include values in SQL UPDATE and INSERT statements, rather than just for the WHERE clause. Does cfqueryparam eliminate the need to scrub the code? My gut feeling is 'yes' for cfsqltype=cf_sql_numeric and an emphatic 'NO' for cfsqltye=cf_sql_varchar. Any confirmation/correction would be appreciated. --Matt-- ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
