CFQUERYPARAM avoids SQL injection by binding the parameter into the statement, not just by checking types. It is impossible to have a bound parameter executed as literal SQL (if the DB actually supports binding).
On 1/27/06, Sebastian Mork <[EMAIL PROTECTED]> wrote: > Hi, > > In my apps I use nearly everytime selecting data from a database the > cfqueryparam tag.. > > Now I tried (using mysql-db) to execute some sql-commands via url-param.. > > The case is I wanna avoid direct sql injections. > Therefore I made some tests to see how manipulation works and how to avoid it. > An example, I've a query like this: > select tbl_users.* from tbl_users where fld_username='#url.test#' > > All test, e.g. trying so call file.cfm?test=anything';update tbl_users set > fld_password='abc' failed. > > Anyway, I don't wanna get this working, I wanted to see if e.g. a > cfqueryparam with type=cf_sql_varchar avoids > this from execution or not. > > When using numeric values as queryparams an error is thrown, (eg where > fld_id=<cfqueryparam cfsqltype="cf_sql_bigint" value="#url.v#"> > when v=abc) > but what about other types like text,varchar..? > A way to avoid could be replacing the ; from e.g. search-strings when > searching for anything in db. > > But what if a semikolon is needed to search for eg in a product teaser or > something like that.. -- CFAJAX docs and other useful articles: http://jr-holmes.coldfusionjournal.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230550 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
