Does the parameter typing in a CF Component protect you from a SQL Injection
attack?
Below, both variables cfcStage_From and cfcID have their type set. It seems
cfcStage_From would be protected as it's typed as numeric.
However, cfcID is typed as string, and it seems it could contain a single-quote
that would allow a malicious user to terminate the data entry and add on a
second SQL statement, all inside the string cfcID.
Would cfcID be better inside double quotes (if they work)?
Thoughts? References? Links?
Thanks,
Chris
<cfcomponent displayname="test">
<cfargument name="cfcStage_From" type="numeric" />
<cfargument name="cfcID" type="string" />
....
<cfquery name="qry_test1" datasource="test">
INSERT INTO table
( STAGE_FROM_ID )
Values (#cfcStage_From#)
</cfquery>
<cfquery name="qry_test2" datasource="test">
Update table
set
From_stage =#cfcStage_From#
Where ID = '#cfcID#'
</cfquery>
</cfcomponent>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;160198600;22374440;w
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299600
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4