Yes, cfqueryparam is much better here. Thanks. Chris Norloff
---------- Original Message ---------------------------------- from: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] date: Wed, 14 Nov 2001 14:46:22 +0100 (MET) >The cfqueryparam Tag suits your needs here the best I would believe. > >Greetings. > >> I need to protect our database from user-inputted data in FORM & URL >> variables. This involves retrofitting some code, too. >> >> The question is whether to use Val() or IsNumeric to prevent non-numeric >> characters from being inserted/updated to the database. I know this is an >> individual choice based on your own need, but I'm curious what others use. >> >> Val() or IsNumeric? >> >> thanks, >> Chris Norloff >> >> >> Val() vs. IsNumeric >> ------------------- >> >> The weakness we're addressing is the potential problem of characters other >> than numbers in a user-supplied number field: >> >> "In ColdFusion, this risk is only an issue if the variable in the query is >> a number not enclosed in quotations, or if the variable is a string that >> is processed in the query with the PreserveSingleQuotes() function." >> >from http://allaire.com/handlers/index.cfm?ID=8728&Method=Full >> >> The solution(s) are addressed in this same document, and also in Securing >> Databases for ColdFusion Applications ( >> http://www.allaire.com/handlers/index.cfm?ID=8830&Method=Full ) >> >> SOLUTIONS >> 1. Use IsNumeric to test every URL or FORM variable prior to >> inserting/updating that info to the database. >> 2. Wrap Val() around every URL or FORM variable when it's used in a >> statement inserting/updating to the database. >> >> >> >> Val(): >> ------ >> Val() does what we want for a number or a number followed by a string - it >> leaves just the number. However, if the value starts with a non-numeric >> character, then Val() returns a zero. This may be a concern, because it >> means that a user-supplied value could have a zero placed in the database >> rather than error when an invalid entry is submitted. We wouldn't know >this >> until the zero's were identified, or cause problems "downstream". >> >> >> IsNumeric can be used two ways: >> ------------------------------- >> [IsNumeric returns a YES or NO depending if the value is numeric or not] >> >> 1. Individually test all URL & FORM values and error as appropriate, prior >> to the query. >> 2. Use IsNumeric in a cfif inside the query - if the value is numeric, >> continue; if not then abort and error. >> >> >> I'm of two minds on this: >> 1. Val() is easier to use, especially to retrofit. >> 2. IsNumeric is nicer in that if used correctly if completely protects the >> database. >> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
