Using Cfqueryparam will result in the query executing much like it would in a stored procedure. SQL injection attacks are not or I should say less possible in a stored procedure because the data is bound to the variable and the code is compiled. So when you pass a parameter to it the database knows that the parameter is a parameter and simply that. It will not execute it. This is done with what is called bind variables.
Cfqueryparam uses bind variables, thus eliminating the need for SP's to prevent SQL injections attacks. SP' s are still extremely useful though; don’t get me wrong. There is just no need to reinvent the wheel here.
If you look at the debugging info for a query with and with out cfqueryparam, you will see the CF is binding the data to a parameter when using Cfqueryparam. So the database knows the query parameter is simply a parameter and not executable code.
This article may shed some light on this topic for you.
http://www.macromedia.com/devnet/mx/coldfusion/articles/cfqueryparam.html
If you running IIS, you may want to look into IISLockdown and Urlscan also.
Also if you are worried about people messing with the form fields, you can put some code on the page to redirect them to another page if the refering site is not the same site. So if they try to link in from another web page not on your server or if they paste a link into the address bar they will be redirected somewhere. I have never tried this in CF but I have done it in another language. The HTTP Referer is usually blank if the user comes to the page from the address bar.
Thanks,
David
-----Original message-----
From: "Wes" [EMAIL PROTECTED]
Date: Thu, 22 Jul 2004 10:33:28 -0400
To: CF-Talk [EMAIL PROTECTED]
Subject: RE: A script to Prevent SQL Injection: feedback/suggestions?
> CFQUERYPARAM will validate the data. this script rips out ALL harmful SQL
> statements that someone might try to include into a URL or FORM field entry.
>
>
>
> -----Original Message-----
> From: Joe Rinehart [mailto:[EMAIL PROTECTED]
> Sent: Thursday, July 22, 2004 10:20 AM
> To: CF-Talk
> Subject: Re: A script to Prevent SQL Injection: feedback/suggestions?
>
>
>
> For some reason I never got the e-mail, and didn't see the script.
>
> I'm curious though: what does it provide the CFQUERYPARAM does not?
>
> Thanks,
>
> Joe
>
> _____
>
>
>
>
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
