CFQUERYPARAM does provide a layer of typing that running a basic query
misses. For instance, if you have this query:
SELECT firstname, lastname FROM employees WHERE employeeId =
#url.employeeId#
and I change the value of employeeId=2 in my address bar to something
like:
2;SELECT password AS firstname, lastname FROM employees WHERE employeeId
= 2
...I can probably manipulate your database to do what I please. It's
called a SQL injection attack, and CFQUERYPARAM is one very good way to
prevent it, as it creates prepared statements that take parameters, not
dynamic formed SQL. For more info, check out this article:
http://www.macromedia.com/devnet/mx/coldfusion/articles/cfqueryparam.htm
l
-Joe
-----Original Message-----
From: James Smith [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 16, 2004 8:01 AM
To: CF-Talk
Subject: RE: SQL query style (WAS: SQL search query)
> > OK, if it improves performance it is worth using, but I am
not sure what
the
> > requirement for verifying the data type is, almost all
queries that use
a
> > variable are using one that you as the programmer have
passed to it and
> > therefore have control of its verification before it ever
gets to the
query,
> > even if it is posted from a form we have the data validation
of the
CFFORM
> > tag and the CFINPUT types.
>
> And you think the average cfform and cfinput tag is
sufficient? I
> don't.
OK, but even if the wrong data type is supplied to the query
what will
happen, you will get an error. If the cfqueryparam detects an
incorrect
data type it will throw an error yes? So what is the
difference? Would you
care to explain your answer rather than just taking pot shots at
me?
> > I also don't understand the 'unauthorized users' bit.
>
> Authorization is not relevant.
From Docs.
<QUOTE>Macromedia recommends that you use the cfqueryparam tag
within every
cfquery tag, to help secure your databases from unauthorized
users.</QUOTE>
Macromedia clearly think it is relevant, would you care to
elaborate on why
you think it isn't?
--
Jay
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
