The cfqueryparam Tag suits your needs here the best I would believe. Greetings.
> I need to protect our database from user-inputted data in FORM & URL > variables. This involves retrofitting some code, too. > > The question is whether to use Val() or IsNumeric to prevent non-numeric > characters from being inserted/updated to the database. I know this is an > individual choice based on your own need, but I'm curious what others use. > > Val() or IsNumeric? > > thanks, > Chris Norloff > > > Val() vs. IsNumeric > ------------------- > > The weakness we're addressing is the potential problem of characters other > than numbers in a user-supplied number field: > > "In ColdFusion, this risk is only an issue if the variable in the query is > a number not enclosed in quotations, or if the variable is a string that > is processed in the query with the PreserveSingleQuotes() function." > >from http://allaire.com/handlers/index.cfm?ID=8728&Method=Full > > The solution(s) are addressed in this same document, and also in Securing > Databases for ColdFusion Applications ( > http://www.allaire.com/handlers/index.cfm?ID=8830&Method=Full ) > > SOLUTIONS > 1. Use IsNumeric to test every URL or FORM variable prior to > inserting/updating that info to the database. > 2. Wrap Val() around every URL or FORM variable when it's used in a > statement inserting/updating to the database. > > > > Val(): > ------ > Val() does what we want for a number or a number followed by a string - it > leaves just the number. However, if the value starts with a non-numeric > character, then Val() returns a zero. This may be a concern, because it > means that a user-supplied value could have a zero placed in the database > rather than error when an invalid entry is submitted. We wouldn't know this > until the zero's were identified, or cause problems "downstream". > > > IsNumeric can be used two ways: > ------------------------------- > [IsNumeric returns a YES or NO depending if the value is numeric or not] > > 1. Individually test all URL & FORM values and error as appropriate, prior > to the query. > 2. Use IsNumeric in a cfif inside the query - if the value is numeric, > continue; if not then abort and error. > > > I'm of two minds on this: > 1. Val() is easier to use, especially to retrofit. > 2. IsNumeric is nicer in that if used correctly if completely protects the > database. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
