> I've always been curious as to how cfqueryparam works. Does anyone know if
> it just performs some scanning and filtering on the actual values of the
> parameters passed to it or whether it somehow signals to the RDBMS that the
> values are parameters to the query thereby treating an SQLI attack as an
> escaped string or something?

It builds a prepared statement. It doesn't scan or filter anything.

> cfqueryparam errors when you try to use it outside a cfquery tag, which
> limits some of the stuff you can do with it. ( Like using cfsavecontent to
> have various cffunctions append SQL to a query and then popping that
> variable inside of a cfquery tag ).
>
> Is there some other way to leverage the parameterized safety of
> cfqueryparam? Can you do it using pure SQL? The database driver? Any ideas
> on how I could provide the same security outside of cfquery tags?

You could build a prepared statement yourself.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/

Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f

Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321651
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to