Re: cfqueryparam vs val( )

Thu, 15 Mar 2007 21:09:53 -0800 

You are safe using val for number fields. Nothing would crash it. Val
evaluates to 0 if what you pass in cannot be recognized as a number.

-Mike Chabot

On 3/16/07, Mik Muller <[EMAIL PROTECTED]> wrote:
> Ok ok, so I'm a baaad boy, but I hadn't been using cfqueryparam all this 
> time, but with a good reason. You cannot cache your queries if you do.
>
> I'm sure this has come up before, but I want to ask anyway...
>
> I'd prefer not to cfqueryparam all my queries because I have quite a few that 
> run for every page, some of which are pretty big. Currently I cache every 
> query I can get away with caching and the sites run fairly snappy. Some day 
> soon I'll get around to a real tune-up as far as performance, but for now I'm 
> worried about security.
>
> For the queries based on numeric ID, can't I get away with putting a val( ) 
> around my url ID variables and be ok (this is what I'm doing now)? I mean, 
> val( ) strips out everything starting from the first non numeric character, 
> which would essentially remove all sql hacks. Assuming I could ensure val( ) 
> didn't crash (what could crash it) would I be safe enough with just that?
>
> Mik
>
>
> ie;
>
> <cfquery name="qs" datasource="#request.d.dbname#" dbtype="ODBC">
>        SELECT something
>        FROM somewhere
>        WHERE ID = <cfqueryparam cfsqltype="CF_SQL_INTEGER" null="No" 
> value="#url.ID#">
> </cfquery>
>
> vs.
>
>
> <cfquery name="qs" datasource="#request.d.dbname#" dbtype="ODBC" 
> cachedwithin="#session.cache_long#">
>        SELECT something
>        FROM somewhere
>        WHERE ID = #val(url.ID)#"
> </cfquery>
>
>
>
>
>
>
>
> --------
> Michael Muller
> Admin, MontagueMA.net Website
> work (413) 863-0030
> cell (413) 320-5336
> skype: michaelBmuller
> http://www.MontagueMA.net
>
> Eschew Obfuscation
>
>
>
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Upgrade to Adobe ColdFusion MX7
Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ 

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272784
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Reply via email to