@Allen No I don't....not in the SELECT clause....what the heck kind of user input would I be using in my SELECT clause??
In my WHERE clauses...of course...all the time without fail. FYI..."clause" does not equal "statement"....I think that is where you misread my previous post ;-) Cheers On Tue, 2010-10-26 at 11:33 -0700, Alan Rother wrote: > Bryan and Matt, please tell me you use cfqueryparam on your SELECT > statements where you accept user provided information such as FORM or URL > variables... right? > > If you don't you are exposing yourselves to SQL Injection attacks, it's not > just on INSERT and UPDATE statements that you are vulnerable, it's anytime > you access your DB and pass in values from your users. > > As a rule of thumb here, we never write a query without a cfqueryparam tag > > > =] > > On Tue, Oct 26, 2010 at 11:24 AM, Matt Quackenbush > <[email protected]>wrote: > > > > > @ Bryan- > > > > You are apparently correct on #1. I shall try and remember that in the > > future. It is now obvious to me that stating that the code works > > absolutely > > perfectly in one environment does not lead to everyone understanding that > > it > > is not an issue of incomplete code. > > > > As for #2, it is a SELECT INTO statement, so, yes, it needs <cfqueryparam > > />. I too have never seen <cfqueryparam /> in a normal SELECT FROM > > statement. > > > > @ All- > > > > It seems that I have managed to find not one, but two bugs in CF8.0.1. I > > will post the bug reports as soon as I have had an opportunity to make > > them. > > > > For those who might stumble across this post in the future, the workaround > > is two-fold: > > > > 1) Use the 'result' attribute on <cfquery> instead of the 'name' attribute. > > (Grab the newly inserted ID from 'result.identitycol'.) > > > > 2) Use a standard 'VALUES' insert, rather than a 'SELECT' insert. If you > > need the lookup on a value (e.g. when you'd normally use a 'SELECT' > > insert), > > you can either make a prior db call to get the value(s), or you can have a > > lookup struct/query in cache to pull the values from. > > > > HTH > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338585 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
