A lot of people seem to be under the impression that you should only use
CFQUERYPARAM when your on certain kinds of DBMSs or doing certain things
(for example only use it for Updates but not for Selects). The simple fact
is it can (and should) be used in ANY SQL Statement that contains variable
data.
The param tag will type check your values and, due to the way the statement
is sent to the DB, will not allow any variable data to be confused with
statement data.
The only way SQL Injection hacks can work is if variable data can be
confused/combined with statement information before it gets sent to the
database for processing. Since using CFQUERYPARAM separates all variable
data from Statement information (something called "bind variables" on the DB
side) this can never happen if you use it (and it's also much faster on most
DBMSs).
Make sense?
If you can't control all of the code on your server, you may still want to
pursue your current path to protect that potentially poor code, but if
you've got any say at all I would force the adoption of CFQUERYPARAM as a
required standard. It seems to me that if you can control the app enough to
protect it with the code you've mentioned then you should have the control
to enforce the use of CFQUERYPARAM.
I'm not sure if there's any technical way to force people to use it (perhaps
some DBMSs may let you permit only bind variables in a connection?) I don't
think there's any way at the CF level however (although I think it would
make a fine feature).
Jim Davis
_____
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Sunday, May 09, 2004 5:51 PM
To: CF-Talk
Subject: Re: URL cleansing
I don't understand the point. Why not just use cfqueryparam and never
again worry about SQL injection?
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
