OK, I'm convinced! Having run a few tests using CF5/SQL2K, I see what you mean.
However, shouldn't it be good practice to use the cfsqltype attribute, and, where chracter variables are concerned, the maxlength attribute also? Is there any way (when the <cfqueryparam> is not being used), to cause a cross-scripting exploit to (say) drop another table, by adding 'DROP TABLE xxx' onto the end of a URL - I couldn't get it to work at all. Cheers Terry ----------Original Message--------- > The CFSQLTYPE is used to validate the input. Use of the cfqueryparam > tag will always have the effect of preventing SQL injection. e.g. > > The following uses a cfquery param tag without the cfsqltype attribute: > > test (Records=1, Time=10ms) > SQL = > SELECT * > FROM event > where eventid = ? > > Query Parameter Value(s) - > Parameter #1 = 123 > > Steve > > > > > -----Original Message----- > > From: Terry Riley [mailto:[EMAIL PROTECTED] > > Sent: 12 November 2003 09:10 > > To: [EMAIL PROTECTED] > > Subject: Re: [ cf-dev ] Use of <cfqueryparam> > > > > > > But only if qualified by the cfsqltype, as far as I can tell. > > > > Anyone else care to comment? > > > > Cheers > > Terry > > > > ----------Original Message--------- > > > > > Terry, > > > > > > As I understand it using <cfqueryparam stops any SQL being > > hacked in to > > > the > > > query through the url or form var. It ensures that the > > passed variable > > > is > > > treated as a variable and not read as anything else. > > > > > > d > > > > > > ----- Original Message ----- > > > From: "Terry Riley" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Tuesday, November 11, 2003 1:30 PM > > > Subject: [ cf-dev ] Use of <cfqueryparam> > > > > > > > > > > I've seen a lot of code lately where the query (either extracting, > > > > inserting or updating information) uses the > > > > > > > > <cfqueryparam value="#xxx#"> in the WHERE clause, without > > qualifying > > > > > the > > > > parameter with a cfsqltype. > > > > > > > > I can understand the use of the cfqueryparam with a cfsqltype and > > > > other > > > > attributes as one way of preventing cross-site scripting (adding > > > > additional text to the string to do something evil), but > > see no point > > > > in > > > > using > > > > > > > > 'WHERE ID = <cfqueryparam value="#url.ID#">' > > > > > > > > as opposed to > > > > > > > > 'WHERE ID = "#url.ID#"' > > > > > > > > Is there one? Is it faster? Manuals and googles don't > > seem to come up > > > > with > > > > an answer..... > > > > > > > > Cheers > > > > Terry -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
