CFQueryParam gives you an easy way to validate the query params. Some clever, bored hackers have figured out how to do things like pass a drop table query through the header. It is an even easier exploit if you are passing query parameters through the url string.
At 11:51 AM 12/16/2002 -0500, you wrote: >Hi, Craig, and thanks for the reply. > >When you say they "make things a lot more secure." >What exactly do you mean? Boy, that's a lot of extra typing >over the typical CFINSERT syntax... > >Rick > > >-----Original Message----- >From: Craig Dudley [mailto:[EMAIL PROTECTED]] >Sent: Monday, December 16, 2002 11:10 AM >To: CF-Talk >Subject: RE: mySQL & CF > > >Standard SQL inserts will work fine on most if not all RDBMS's > >Eg. > >insert into tablename >(int_col1,varchar_col2) >values >(<cfqueryparam cfsqltype="CF_SQL_INTEGER" >value="#form.val1#">,<cfqueryparam cfsqltype="CF_SQL_VARCHAR" >value="#form.val2#">) > >Do try to use the cfqueryparams, they make things a lot more secure. > >-----Original Message----- >From: Rick Faircloth [mailto:[EMAIL PROTECTED]] >Sent: 16 December 2002 16:02 >To: CF-Talk >Subject: RE: mySQL & CF > >Hi, Matt. > >I, too, learned about the CFUPDATE problem from personal experience >and from the Allaire forums when I first started using CF (with Access >at >that time). >I stopped using it and went to the CFQUERY...Set... approach. That's >worked >fine. > >I haven't had any problems with CFINSERT, but if that may be problematic >in >the future >I may as well go ahead and change my coding habits now. > >How is the INSERT coded for mySQL and CF? >Example? > >Thanks, > >Rick > > >-----Original Message----- >From: Matt Robertson [mailto:[EMAIL PROTECTED]] >Sent: Monday, December 16, 2002 1:11 AM >To: CF-Talk >Subject: RE: mySQL & CF > > >Rick, > >I noticed you mention that you use CFINSERT. From your earlier postings >I >know you are on CF 4.5x, as I am. > >You're likely to discover that CFINSERT and/or CFUPDATE sometimes blow >sky-high on CF 4.5x (at least) when working with mySQL (3.23 for sure, >and >maybe 4.0x). In threads on the subject over at the (then) Allaire >forums no >specific cause was ever traced. It just happens. Sometimes. > >In one of those threads I believe it was Paul Hastings who advised me to >'just say no to cfinsert/cfupdate' and it ranks as some of the best CF >advice I ever got. On the surface those tags appear to be handy >shortcuts, >but they black-box your SQL, take away the otherwise granular control >you >should have and make debugging ... difficult. > >I suggest you follow the same advice -- you'll probably find out you >have >to, anyway. While you're at it go for the double bonus and implement >cfqueryparam. > >Happy Monday (early) :) > >--------------------------------------- >Matt Robertson, MSB Designs, Inc. >http://mysecretbase.com - Retail >http://foohbar.org - ColdFusion Tools >--------------------------------------- > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
