RE: The Value of CFQUERYPARAM

Tue, 09 Dec 2003 08:02:30 -0800

Well, the main reason we weren't discussing the security value of
cfqueryparam is that we were talking about constant values that were NOT
collected from a user, but rather hard coded into the query.  Now user
interaction usually means no opportunity for user mischief.


--------------
Ian Skinner
Web Programmer
BloodSource
www.BloodSource.org
Sacramento, CA

-----Original Message-----
From: Gaulin, Mark [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 09, 2003 6:13 AM
To: CF-Talk
Subject: RE: The Value of CFQUERYPARAM

I haven't heard anyone mention the security value of cfqueryparam... using
this tag will prevent someone from injecting malicious code into your
queries. Consider this example:

<cfparam name="url.userid">

<cfquery>
select id, username from people where userid = #url.userid#
</cfquery>

If someone calls this page with the url
"sample.cfm?userid=1+go+delete+*+from+people" there is a chance that the
people table will get nuked.  cfqueryparam prevents this from happening.

    Mark

-----Original Message-----
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 6:54 PM
To: CF-Talk
Subject: Re: The Value of CFQUERYPARAM

[EMAIL PROTECTED] wrote:
>
> I asked this question and quite a discussion broke out between the DB
> heavyweights (Jochem and Adam I think)

Thank you :-)

> I've tried my best to find it in the archives but I can't for some
> reason.....

http://www.houseoffusion.com/cf_lists/index.cfm?method=messages
<http://www.houseoffusion.com/cf_lists/index.cfm?method=messages>
<http://www.houseoffusion.com/cf_lists/index.cfm?method=messages&threadid=24
110&forumid=4#121513> &threadid=24110&forumid=4#121513

I hope I am doing Adam's position justice when I summarise the
debate as follows:
- with cfqueryparam, changes in the value of a parameter will not
lead to a recompilation (overhead) of the query execution plan in
the DBMS
- this is genarally a good thing, because it means a query like
select * from table where id = X gets only compiled once,
regardless of the value of X
- therefore, if you use cfqueryparam for constants as well, the
query will still be only compiled once (Adam)
- but if you don't use cfqueryparam, you can force a
recompilation of the query execution plan if you want so (Jochem)

I am still not sure we actually disagree :-)

Jochem

--
When you don't want to be surprised by the revolution
organize one yourself
     - Loesje
  _____
   _____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]

Reply via email to