[cfaussie] Re: Single Quote insert into SQL

Thu, 26 Jun 2003 20:10:15 -0700

np.

The <cfqueryparam> isn't a work around - its the normal procedure to take in any text and put it into a query in CFMX. It both validates
and makes more efficient (not in your case though). Sorry but I don't think theres a magic_quotes-like feature (?)

The cfqueryparam tag also prevents somebody doing an SQL-Injection
Read more about SQL injections here:
    http://www.owasp.org/asac/input_validation/sql.shtml
It's worth having a gander at this too:
    http://mxdu.com/index.cfm?objectid=BC95ABA7-D0B7-4CD6-F906EABEDAAA4863
especially if you're a server admin. It's Spikes presentation on CFMX security at MXDU.

If I were you I'd write a PERL script to modify all the queries in your CFCs/CFML and then go and test them (this is where CFC unit testing would be invaluable - just go and run the tests on your data access CFCs). (You could use regex in Dreamweaver if you go and follow that thread).

- tim

Phil Evans spoke the following wise words on 27/06/2003 11:36 AM EST:
Thanks Tim.

I could code around the issue, and your suggestion is no doubt a great place
to start.

However I would have a lot of code to check through and modify, and was
really hoping to find the magic switch that enables it to keep working just
the way it always has.

Any ideas?

Thanks,
Phil.


----- Original Message ----- 
From: "Tim" <[EMAIL PROTECTED]>
To: "CFAussie Mailing List" <[EMAIL PROTECTED]>
Sent: Friday, June 27, 2003 11:06 AM
Subject: [cfaussie] Re: Single Quote insert into SQL


  
Try:

<cfquery name="Update_Test" datasource="#DSN#">
  update  mytest
  set        mytest_comment = <cfqueryparam
value="#form.mytest_comment#" cfsqltype="cf_sql_varchar" />
  where   testid     = #my_id#
</cfquery>

Change the sqltype accordingly.

- tim

Phil Evans spoke the following wise words on 27/06/2003 10:55 AM EST:

    
However, I've just migrated the site to a new server, Win 2000, MX
      
(updater
  
unknown), SQL 2000 and if a user enters a single quote in a comment, it
      
spits.
  
      
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to
    
[EMAIL PROTECTED]
  
MX Downunder AsiaPac DevCon - http://mxdu.com/

    


---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]

MX Downunder AsiaPac DevCon - http://mxdu.com/
---
You are currently subscribed to cfaussie as: [EMAIL PROTECTED]
To unsubscribe send a blank email to [EMAIL PROTECTED]

MX Downunder AsiaPac DevCon - http://mxdu.com/

Reply via email to