>
> CFQUERYPARAM does provide a layer of typing that running a basic query
> misses. For instance, if you have this query:
>
> SELECT firstname, lastname FROM employees WHERE employeeId =
> #url.employeeId#
>
> and I change the value of employeeId=2 in my address bar to something
> like:
>
> 2;SELECT password AS firstname, lastname FROM employees WHERE employeeId
> = 2
>
> ...I can probably manipulate your database to do what I please. It's
> called a SQL injection attack, and CFQUERYPARAM is one very good way to
> prevent it, as it creates prepared statements that take parameters, not
> dynamic formed SQL. For more info, check out this article:
>
> http://www.macromedia.com/devnet/mx/coldfusion/articles/cfqueryparam.htm
> l
Think of a more dangerous URL
I'll change the URL variable to
2; drop table employees '
You can do the validation with Val and such, but you're still open to
SQL Injection Attacks if you're not careful
You should ALWAYS use CFQUERYPARM on EVERY query, no matter what
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
