No, that’s one of the problems with relying on cfqueryparam for sql injection. To be clear, this is NOT its job. People rely on it basically as a hack. It only works when you set the type to something like CF_SQL_INTEGER, because the incoming value is supposed to be a number, in which case it then detects if the incoming arg has any sort of string in it, which causes the arg value to be rejected, and so the cfquery fails.
As you note, if the type is string (CF_SQL_VARCHAR), then there’s no validation for it to do. To be clear, it does NOT look in the string for things that are naughty, like special chars, reserved words, etc. The most you could do with it would be to add the maxlength attribute to perhaps stop at least long injection attempts. That’s why pointed out all those other alternatives. You are far better off considering one of them, as they focus specifically on detecting and preventing injection strings. I’ve just tweaked the entry I had there for cfqueryparam to add this clarification. It’s worth clarifying, because so many people do just blindly propose or hope that cfqueryparam is the answer for sql injection protection. It’s only one answer, and only suited to some specific problems, not all. /charlie PS Brian, note that somehow when you write to the group here, your notes get pegged with a “**spam**” indicator in the subject line. It’s happened for each of your notes in 2015. And when you reply to one that already has it, another is added. :-( I have removed those indicators here. Sorry if it messes up threading for anyone viewing the messages in the web interface of google groups. Hope it helps those viewing it in email. From: cfaussie@googlegroups.com [mailto:cfaussie@googlegroups.com] On Behalf Of Brian Knott Sent: Tuesday, May 26, 2015 11:00 PM To: cfaussie@googlegroups.com Subject: *****SPAM***** RE: *****SPAM***** [cfaussie] CF 11 and SQL injection Thanks Charlie. One question re cfqueryparam. If I'm using the the CF_SQL_VARCHAR type does it strip out injected SQL, because basically injected SQL is just text. Brian -- You received this message because you are subscribed to the Google Groups "cfaussie" group. To unsubscribe from this group and stop receiving emails from it, send an email to cfaussie+unsubscr...@googlegroups.com. To post to this group, send email to cfaussie@googlegroups.com. Visit this group at http://groups.google.com/group/cfaussie. For more options, visit https://groups.google.com/d/optout.
