As mentioned CFQueryParam is the best defense against SQL injection, but I believe CFC's do protect you. CF auto escapes any single quotes in your strings, so I think the only way to do sql injection is to put extra commands in numeric parameters. If you have the type checked beforehand, I think you should be reasonably safe.
I would love to see something that disproves this. Russ > -----Original Message----- > From: Chris Norloff [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 21, 2008 11:51 AM > To: CF-Talk > Subject: CFC protect from SQL Injection? > > Does the parameter typing in a CF Component protect you from a SQL > Injection attack? > > Below, both variables cfcStage_From and cfcID have their type set. It > seems cfcStage_From would be protected as it's typed as numeric. > > However, cfcID is typed as string, and it seems it could contain a single- > quote that would allow a malicious user to terminate the data entry and > add on a second SQL statement, all inside the string cfcID. > > Would cfcID be better inside double quotes (if they work)? > > Thoughts? References? Links? > > Thanks, > Chris > > > <cfcomponent displayname="test"> > > <cfargument name="cfcStage_From" type="numeric" /> > <cfargument name="cfcID" type="string" /> > .... > <cfquery name="qry_test1" datasource="test"> > INSERT INTO table > ( STAGE_FROM_ID ) > Values (#cfcStage_From#) > </cfquery> > > <cfquery name="qry_test2" datasource="test"> > Update table > set > From_stage =#cfcStage_From# > Where ID = '#cfcID#' > </cfquery> > > </cfcomponent> > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299603 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
