Excellent points! Thanks Dave, and everyone who took the time to reply to / read this thread.
Moral lessons learned: 1) Don't go crazy with tightening security around SQL statements. Only secure the vulnerable; 2) Whenever possible, think of using native CF functions to simplify code. :-) BTW, Dave, do you have a "Reader's Digest" version of the CFTalk threads? There are so many good ideas flying around here that it is hard to keep up sometimes. It would be awesome if we could have the common problem discussions abstracted, condensed and posted for all to share. On Tue, Jul 22, 2008 at 8:15 PM, Dave Watts <[EMAIL PROTECTED]> wrote: > > > Say you had a proc that looked like this: > > > > > > CREATE PROC sps_testproc > > > @AID int = null, > > > @BID int = null > > > as > > > IF @AID is not null > > > SELECT @AID > > > IF @AID is not NULL > > > SELECT @BID > > > > > > If I was using CFQUERY, unprotected-style, I might write this: > > > > > > <cfquery ...> > > > sps_testproc > > > <cfif whichvar = "A"> > > > @aid=123 > > > <cfelse> > > > @bid=456 > > > </cfif> > > > </cfquery> > > > > Well, first of all, in this case the stored procedure itself > > is handling validation. It's going to make sure that @aid and > > @bid are integers, and fail if they're not. In addition, in > > the above case, the parameters don't even contain CF > > variables! So, you don't really need to go any farther, as > > your current code is safe. > > As Mark just pointed out, if you did have actual CF variables in your > statement, those would be vulnerable. The stored procedure itself isn't > vulnerable, of course, but the CFQUERY tag would be unless you'd configured > your database login so that it could only execute stored procedures. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309526 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
