It will be secured, but it is better IMO to use the maxlength attribute. It should match your schema. If I were doing this the maxlength on both my cfqueryparam and column would be the maximum length of allowed email addresses. My standard length for passwords can be no longer than 8 characters. So my column would have a max length of 8 and my cfqueryparam would have the same value.
Remember to not allocate room for more than you are going to use. -----Original Message----- From: Ben Forta [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 11:23 AM To: CF-Talk Subject: RE: (ot) URL Hack Attempt Leaves Me Scractching My Head... MAXLENGTH would typically be the maximum the underlying table allows or the maximum you want to accept. And MAXLENGTH is optional. --- Ben -----Original Message----- From: Radek Valachovic [mailto:[EMAIL PROTECTED] Sent: Thursday, July 24, 2008 2:19 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... What would you suggest for this kind of thing: Select USERID from users where email = '#trim(arguments.email)#' and password = '#trim(arguments.password)#' Something like this? Select USERID from users where email = <cfqueryparam value="#trim(arguments.email)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" maxlength="?"> I put Question marks to MAXLENGHT still thinking if I should specify it for more security (but guessing lenght of emails someone can be rejected) or can it be without MAXLENGHT? Radek > > Not using SELECT * is more of a "best practices" kind of thing. > > When you use it, you're potentially pulling more information than you need, > which is inefficient. Additionally, specifying all of the columns you're > pulling is more self-documenting. > > I'd much rather see: > > SELECT > u.userName > , u.userPhone > , u.userEmail > , u.userAddress > FROM > Users u > WHERE > .... > > than > > SELECT * FROM Users > > with the former, I have a better idea of what i'm dealing with (without the > need to <cfdump> the query and see it). > > > -- > A byte walks into a bar and orders a pint. Bartender asks him "What's > wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought > you looked a bit off." > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309656 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
