I don't want to be rude but I think there is a big difference between 'jumbled mess' and good code.
The point of writing any application should be to use the tools you know in the method that is best, not easiest. Just because CFQUERYPARAM 'looks' jumbled does not seem like a valid reason to not use it. The benefits, security (not appending SQL actions), typed input values, and character length checking, are well worth the look of the tag. So ANYWHERE user input is passed to a query, CFQUERYPARAM it and forget about those thoughts of "If a hacker was really smart he'd just add '; DELETE FROM tblCustomer'". The hackers are that smart. It's too late to try security by obscurity. MSFT tries it and everytime something comes up the public says "Thanks for the patch, we forgive you,". Your client probably won't have the same response. <stepping down from soapbox /> t ********************************************************************** Tyler M. Fitch Certified Advanced ColdFusion 5 Developer ISITE Design, Inc. 615 SW Broadway Ste. 200 Portland, OR 97205 503.221.9860 ext. 111 http://isitedesign.com ********************************************************************** -----Original Message----- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 27, 2001 1:00 PM To: CF-Talk Subject: Re: SQL Security Wow I just wrote what Dave did before looking at the whole post :D . I fo r one would not want to use <cfqueryparam> in all my queries!!! What a jumb led mess that would create. Doug ----- Original Message ----- From: "Dave Watts" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Thursday, December 27, 2001 12:21 PM Subject: RE: SQL Security > > I had you guys poke at my application the other day to find bugs and > > security problems. Now I need to ask a few questions about SQL > > security as I am finding out a lot of what I thought was right is > > wrong. I am using cfqueryparam now in my where and and clauses, now > > do I need to also put cfqueryparam for field I update, can they > > append data there. > > Yes, it is conceivable that data could be appended to insert and > update queries. > > > Anything else I may have missed out here? > > Probably, the biggest thing that you haven't mentioned here (perhaps because > you might already take it for granted) doesn't really have to do with > h ow > you write your application code. Ideally, even if you don't filter > inpu t in > your application code, you can limit your exposure to harm by > correctly configuring the database, and rights and permissions within > that databa se. > For example, you can create a user within the database, and explicitly grant > and deny rights appropriately for that user. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > ______________________________________________________________________ Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusiona FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
