Does the parameter typing in a CF Component protect you from a SQL Injection 
attack?

Below, both variables cfcStage_From and cfcID have their type set. It seems 
cfcStage_From would be protected as it's typed as numeric. 

However, cfcID is typed as string, and it seems it could contain a single-quote 
that would allow a malicious user to terminate the data entry and add on a 
second SQL statement, all inside the string cfcID.

Would cfcID be better inside double quotes (if they work)?

Thoughts? References? Links?

Thanks,
Chris


<cfcomponent  displayname="test">
 
<cfargument name="cfcStage_From" type="numeric" />
<cfargument name="cfcID" type="string" />
....
<cfquery name="qry_test1" datasource="test">
    INSERT INTO  table
    ( STAGE_FROM_ID )
    Values (#cfcStage_From#)
</cfquery>

<cfquery name="qry_test2" datasource="test">
    Update table
    set 
    From_stage =#cfcStage_From#
    Where ID = '#cfcID#'
</cfquery>

</cfcomponent>




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299600
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Reply via email to