Ok ok, so I'm a baaad boy, but I hadn't been using cfqueryparam all this time,
but with a good reason. You cannot cache your queries if you do.
I'm sure this has come up before, but I want to ask anyway...
I'd prefer not to cfqueryparam all my queries because I have quite a few that
run for every page, some of which are pretty big. Currently I cache every query
I can get away with caching and the sites run fairly snappy. Some day soon I'll
get around to a real tune-up as far as performance, but for now I'm worried
about security.
For the queries based on numeric ID, can't I get away with putting a val( )
around my url ID variables and be ok (this is what I'm doing now)? I mean, val(
) strips out everything starting from the first non numeric character, which
would essentially remove all sql hacks. Assuming I could ensure val( ) didn't
crash (what could crash it) would I be safe enough with just that?
Mik
ie;
<cfquery name="qs" datasource="#request.d.dbname#" dbtype="ODBC">
SELECT something
FROM somewhere
WHERE ID = <cfqueryparam cfsqltype="CF_SQL_INTEGER" null="No"
value="#url.ID#">
</cfquery>
vs.
<cfquery name="qs" datasource="#request.d.dbname#" dbtype="ODBC"
cachedwithin="#session.cache_long#">
SELECT something
FROM somewhere
WHERE ID = #val(url.ID)#"
</cfquery>
--------
Michael Muller
Admin, MontagueMA.net Website
work (413) 863-0030
cell (413) 320-5336
skype: michaelBmuller
http://www.MontagueMA.net
Eschew Obfuscation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272777
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
