Okay what about this, for example column name ITEMOID has in DB maxlenght 15 and it is numeric.
Integer is -2,147,483,648 and 2,147,483,647 = 10 the point is 10 or 15 doesnt matter. I will specify for ITEMOID in DB maxl = 15 Example QUERY is SELECT location FROM item WHERE url.user_id = #url.user_id# URL gonna look like this example: http://mydomain.com/index.cfm?user_id=125456 Now imagine the Hacker Code (Declare etc etc) will add to the end: http://mydomain.com/index.cfm?user_id=125456;DECLARE........ How can it be processed when USER_ID in database is specified for LENGHT 15 and USER_ID with Hacker code has lenght like 100? I guess u gonna gonna say that's why u have to use : SELECT location FROM item WHERE url.user_id = <cfqueryparam value="#url.user_id#" cfsqltype="CF_SQL_INTEGER"> to validate it. I undestand that, but why it is not validated already when in DB it is specified lenght 15 and using this query: SELECT location FROM item WHERE url.user_id = #url.user_id# it should work and I have to use another validation in code using cfqueryparam?: SELECT location FROM item WHERE url.user_id = <cfqueryparam value="#url.user_id#" cfsqltype="CF_SQL_INTEGER"> Thanks RAdek On Thu, Jul 24, 2008 at 2:21 PM, Adrian Lynch <[EMAIL PROTECTED]> wrote: > Whatever the length of the column in your DB. > > Adrian > > -----Original Message----- > From: Radek Valachovic [mailto:[EMAIL PROTECTED] > Sent: 24 July 2008 19:19 > To: CF-Talk > Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... > > > What would you suggest for this kind of thing: > > Select USERID > from users > where email = '#trim(arguments.email)#' and password = > '#trim(arguments.password)#' > > > Something like this? > > Select USERID > from users > where email = <cfqueryparam value="#trim(arguments.email)#" > cfsqltype="CF_SQL_VARCHAR" maxlength="?"> and password = <cfqueryparam > value="#trim(arguments.password)#" cfsqltype="CF_SQL_VARCHAR" > maxlength="?"> > > I put Question marks to MAXLENGHT still thinking if I should specify it for > more security (but guessing lenght of emails someone can be rejected) or > can > it be without MAXLENGHT? > > Radek > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309661 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
