Actually, it looks like as long as I managed my prepared statement naming manually across the entire MySQL server I'd be ok to just run multiple queries in a row ( because CF8 with MySQL breaks for me if I try more than one statement separated by semicolons ).
So it'd play out like this, for anyone curious: cfquery/ prepare statement #appName#_someIdentifier ' select * from ? ' cfquery/ set @p1 := '#userSuppliedValue#' cfquery/ execute #appName#_someIdentifier using @p1 That sure is a lot of cfquery tags, considering you'd need an extra cfquery for each parameter. But I wonder if that would totally break because CF could be executing multiple queries in parallel through the same MySQL connection and the interwoven execution of all of these queries might make them overlap and overwrite each other's values. Is that about accurate? 2009/4/16 David McGuigan <davidmcgui...@gmail.com> > Am I correct in assuming ( after just having skimmed the topic with Google > ) that to do that within CFML I'd have to drop into Java and use the MySQL > Java API to achieve that? > > > > > On Thu, Apr 16, 2009 at 10:36 AM, Dave Watts <dwa...@figleaf.com> wrote: > >> >> > I've always been curious as to how cfqueryparam works. Does anyone know >> if >> > it just performs some scanning and filtering on the actual values of the >> > parameters passed to it or whether it somehow signals to the RDBMS that >> the >> > values are parameters to the query thereby treating an SQLI attack as an >> > escaped string or something? >> >> It builds a prepared statement. It doesn't scan or filter anything. >> >> > cfqueryparam errors when you try to use it outside a cfquery tag, which >> > limits some of the stuff you can do with it. ( Like using cfsavecontent >> to >> > have various cffunctions append SQL to a query and then popping that >> > variable inside of a cfquery tag ). >> > >> > Is there some other way to leverage the parameterized safety of >> > cfqueryparam? Can you do it using pure SQL? The database driver? Any >> ideas >> > on how I could provide the same security outside of cfquery tags? >> >> You could build a prepared statement yourself. >> >> Dave Watts, CTO, Fig Leaf Software >> http://www.figleaf.com/ >> >> Fig Leaf Software provides the highest caliber vendor-authorized >> instruction at our training centers in Washington DC, Atlanta, >> Chicago, Baltimore, Northern Virginia, or on-site at your location. >> Visit http://training.figleaf.com/ for more information! >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321667 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
