No, it won't. It'll produce the SQL equivalent of:
select * from mytable where username = 'tony ''drop table tablename --' ----- Original Message ----- From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:46 am Subject: RE: RE: Preventing SQL injection attacks...? > still. if i had the value > > tony ' drop table tablename-- > > and a cfqueryparam with a type of CF_SQL_VARCHAR > > it would still pass in the value as such > > select * from mytable where username = 'tony ' drop table > tablename--' > > which would cause the table to be dropped. > > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 1:45 PM > To: CF-Talk > Subject: Re: RE: Preventing SQL injection attacks...? > > > <cfqueryparam> does in fact prevent that code from running. > <cfqueryparam> creates a prepared statement with parameters. It > then > compares what you've entered as a value with the datatype you've > specified and, if successful, binds the parameters with what > you've > entered. So, if you entered: > > select * from table where id = <cfqueryparam value="#url.id#" > cfsqltype="CF_SQL_DECIMAL"> > > and then in your url entered: id=12;drop table yourtable > > It would through you an error. > > As well, if you had: > > select * from table where id = <cfqueryparam value="#url.id#" > cfsqltype="CF_SQL_VARCHAR"> > > It would create the equivalent SQL statement of: > > select * from table where id = '12;drop table yourtable' > > ----- Original Message ----- > From: [EMAIL PROTECTED] > Date: Friday, April 12, 2002 11:00 am > Subject: RE: Preventing SQL injection attacks...? > > > let's say you have a text field that is 100 characters long. you > > can still > > get a "drop table tablename" appended to the sql statement or > > write an > > entire sql statment. Cfqueryparam was meant to speed up cfquery, > > not be to a > > cure all. > > > > Anthony Petruzzi > > Webmaster > > 954-321-4703 > > [EMAIL PROTECTED] > > http://www.sheriff.org > > > > > > -----Original Message----- > > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > > Sent: Friday, April 12, 2002 1:06 PM > > To: CF-Talk > > Subject: Re: Preventing SQL injection attacks...? > > > > > > [EMAIL PROTECTED] wrote: > > > > >you can't forget that form fields also play a part in this. > after > > reading>the informaiton provided in jeff's link, it did shine a > > light. although i > > >have been taught from the beginning to always use val() around > > numberic>values (thank Adam) and to use regex to validate text > > input (props > > Raymond). > > >if your anal and take the time to make sure that the > information that > > people > > >are passing you is in the extact fomrat you want, you shouldn't > > have a > > >problem. also, don't rely on javascript, i always do server- > side > > validation>even after client side, just to make certain. i even > go > > as far as putting > > as > > >much validation as i can into my stored procedures and > triggers. > > although>SQL server doesn't support regular expressions , which > > sucks! anyone know a > > >way it could? > > > > > why not just use cfqueryparam, it validates and it makes your > sql > > code > > run faster??? > > > > > > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
