stored procedure away :).
-joe
-----Original Message-----
From: Philip Arnold [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 16, 2004 8:14 AM
To: CF-Talk
Subject: Re: SQL query style (WAS: SQL search query)
On Wed, 16 Jun 2004 08:06:16 -0400, Joe Rinehart wrote:
>
> CFQUERYPARAM does provide a layer of typing that running a
basic query
> misses. For instance, if you have this query:
>
> SELECT firstname, lastname FROM employees WHERE employeeId =
> #url.employeeId#
>
> and I change the value of employeeId=2 in my address bar to
something
> like:
>
> 2;SELECT password AS firstname, lastname FROM employees WHERE
employeeId
> = 2
>
> ...I can probably manipulate your database to do what I
please. It's
> called a SQL injection attack, and CFQUERYPARAM is one very
good way to
> prevent it, as it creates prepared statements that take
parameters, not
> dynamic formed SQL. For more info, check out this article:
>
>
http://www.macromedia.com/devnet/mx/coldfusion/articles/cfqueryparam.htm
> l
Think of a more dangerous URL
I'll change the URL variable to
2; drop table employees '
You can do the validation with Val and such, but you're still
open to
SQL Injection Attacks if you're not careful
You should ALWAYS use CFQUERYPARM on EVERY query, no matter what
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
