What if you want to handle things gracefully without throwing exceptions?
Use IsNumeric() - Val("123abc") will evaluate to 123, which you don't want
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Wednesday, November 14, 2001 7:46 AM
Subject: Re: Val() vs. IsNumeric
> The cfqueryparam Tag suits your needs here the best I would believe.
>
> Greetings.
>
> > I need to protect our database from user-inputted data in FORM & URL
> > variables. This involves retrofitting some code, too.
> >
> > The question is whether to use Val() or IsNumeric to prevent non-numeric
> > characters from being inserted/updated to the database. I know this is
an
> > individual choice based on your own need, but I'm curious what others
use.
> >
> > Val() or IsNumeric?
> >
> > thanks,
> > Chris Norloff
> >
> >
> > Val() vs. IsNumeric
> > -------------------
> >
> > The weakness we're addressing is the potential problem of characters
other
> > than numbers in a user-supplied number field:
> >
> > "In ColdFusion, this risk is only an issue if the variable in the query
is
> > a number not enclosed in quotations, or if the variable is a string that
> > is processed in the query with the PreserveSingleQuotes() function."
> > >from http://allaire.com/handlers/index.cfm?ID=8728&Method=Full
> >
> > The solution(s) are addressed in this same document, and also in
Securing
> > Databases for ColdFusion Applications (
> > http://www.allaire.com/handlers/index.cfm?ID=8830&Method=Full )
> >
> > SOLUTIONS
> > 1. Use IsNumeric to test every URL or FORM variable prior to
> > inserting/updating that info to the database.
> > 2. Wrap Val() around every URL or FORM variable when it's used in a
> > statement inserting/updating to the database.
> >
> >
> >
> > Val():
> > ------
> > Val() does what we want for a number or a number followed by a string -
it
> > leaves just the number. However, if the value starts with a non-numeric
> > character, then Val() returns a zero. This may be a concern, because it
> > means that a user-supplied value could have a zero placed in the
database
> > rather than error when an invalid entry is submitted. We wouldn't know
> this
> > until the zero's were identified, or cause problems "downstream".
> >
> >
> > IsNumeric can be used two ways:
> > -------------------------------
> > [IsNumeric returns a YES or NO depending if the value is numeric or not]
> >
> > 1. Individually test all URL & FORM values and error as appropriate,
prior
> > to the query.
> > 2. Use IsNumeric in a cfif inside the query - if the value is numeric,
> > continue; if not then abort and error.
> >
> >
> > I'm of two minds on this:
> > 1. Val() is easier to use, especially to retrofit.
> > 2. IsNumeric is nicer in that if used correctly if completely protects
the
> > database.
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
