Rick Root wrote: > Snake wrote: >> Select * from table >> Where x = #form.value# >> >> And form.value = (delete from table) > > <cftry> > <cfparam name="form.value" type="numeric"> > <cfcatch type="any"><cfthrow ...></cfcatch> > </cftry> > </cftry> > > or > > <cfif not isNumeric(form.value)> > <Cfthrow ...> > </cfif>
And that catches the form variable "3e4" how exactly? > <cfqueryparam> is *NEVER* "required" if you're willing to code the other > stuff. > > But if you get in the habit of NOT using cfqueryparam, and you code the > other stuff, you have to worry about forgetting to scrub the data at > some point, and then you've got a security hole. SQL injection may start with changing a URL variable from a number to another number or a string like the examples you are showing, it ends with seriously high end hacking involving charset conversions (if you convert some East-Asian multibyte character sets to ASCII, single quote might suddenly appear in the middle of a string), SQL comments and database specific escape sequences (as the most basic example, try inserting a string with \' into MySQL). The bottom line is that I do not believe any ColdFusion developer has the necessary imagination and understanding of his database to defend against these things. So it is not even forgetting to scrub, it is also about the risk you still have with scrubbed data. > Why would you NOT use cfqueryparam? The only reason I can think of is because it is still not compatible with query caching. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250697 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
