RE: any ideas

Mark Kruger Wed, 14 May 2008 14:45:45 -0700

I have done this with a function for type that keeps my cfqueryparams
intact... Instead of building the where clause as a string (usually a kind
of a tricky proposition and not a great idea) put your logic inside the
cfquery and do something like this.



<cfquery ...>

        SELECT ....
        
        <!---  makes general "and" possilbe --->
        WHERE 1 = 1     
        <cfif NOT isEmpty(var1)>
                AND     colname = <cfqueryparam
cfsqltype="#funcToFigureOutType(var1)#" value="#var1#"/>
        </cfif>
        <cfif NOT isEmpty(var2)>
                AND     colname = <cfqueryparam
cfsqltype="#funcToFigureOutType(var2)#" value="#var2#"/>
        </cfif>
</cfquery>


This keeps my vars bound and prevents attack while allowing for a dynamic
query... You could just as easily loop through a list of stuff using the
same approach. Of course you might need to handle nulls, handle decimals
etc... It can get dicey :) 

Another approach is to scrub out key words that might be used in an attack.
There are some Regex functions out there and a function at cflib.org to
remove malicious SQL - although I think it is somewhat incomplete. Of the 2
approaches I always fall back to <cfqueryparam...>. 

-Mark


 


Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com

-----Original Message-----
From: Phillip Vector [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 14, 2008 4:15 PM
To: CF-Talk
Subject: Re: any ideas

You are effectively throwing open the door to any hacker, then asking how to
stop them from coming in and stealing your stereo. :)

Why do you want to do this? Perhaps there is a better way?

On Wed, May 14, 2008 at 1:44 PM, Chad Gray <[EMAIL PROTECTED]> wrote:
> I would like to leave my Query open to take in any number of where
statements.
>
> IE:
> <cfset arguments.clause = "JobID = 1">
>
> <cfquery name="getJobs" datasource="#application.dsn#"> SELECT * FROM 
> Jobs WHERE 1=1
>        <cfif len(arguments.clause)>AND #arguments.clause#</cfif> 
> </cfquery>
>
> Of course the problem with doing this is SQL injection.
>
> Anyone have a good way of doing this and keep safe from SQL injection?
>
> Thanks!
> Chad
>
>
> 



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:305284
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

RE: any ideas

Reply via email to