I need to protect our database from user-inputted data in FORM & URL variables. This involves retrofitting some code, too.
The question is whether to use Val() or IsNumeric to prevent non-numeric characters from being inserted/updated to the database. I know this is an individual choice based on your own need, but I'm curious what others use. Val() or IsNumeric? thanks, Chris Norloff Val() vs. IsNumeric ------------------- The weakness we're addressing is the potential problem of characters other than numbers in a user-supplied number field: "In ColdFusion, this risk is only an issue if the variable in the query is a number not enclosed in quotations, or if the variable is a string that is processed in the query with the PreserveSingleQuotes() function." from http://allaire.com/handlers/index.cfm?ID=8728&Method=Full The solution(s) are addressed in this same document, and also in Securing Databases for ColdFusion Applications ( http://www.allaire.com/handlers/index.cfm?ID=8830&Method=Full ) SOLUTIONS 1. Use IsNumeric to test every URL or FORM variable prior to inserting/updating that info to the database. 2. Wrap Val() around every URL or FORM variable when it's used in a statement inserting/updating to the database. Val(): ------ Val() does what we want for a number or a number followed by a string - it leaves just the number. However, if the value starts with a non-numeric character, then Val() returns a zero. This may be a concern, because it means that a user-supplied value could have a zero placed in the database rather than error when an invalid entry is submitted. We wouldn't know this until the zero's were identified, or cause problems "downstream". IsNumeric can be used two ways: ------------------------------- [IsNumeric returns a YES or NO depending if the value is numeric or not] 1. Individually test all URL & FORM values and error as appropriate, prior to the query. 2. Use IsNumeric in a cfif inside the query - if the value is numeric, continue; if not then abort and error. I'm of two minds on this: 1. Val() is easier to use, especially to retrofit. 2. IsNumeric is nicer in that if used correctly if completely protects the database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
