Update: You can actually enable multiple statements in a single query in ColdFusion by appending allowMultiQueries=true to your datasource connection string!
2009/4/16 David McGuigan <davidmcgui...@gmail.com> > Actually, it looks like as long as I managed my prepared statement naming > manually across the entire MySQL server I'd be ok to just run multiple > queries in a row ( because CF8 with MySQL breaks for me if I try more than > one statement separated by semicolons ). > > So it'd play out like this, for anyone curious: > > cfquery/ > prepare statement #appName#_someIdentifier > ' select * from ? ' > > cfquery/ > set @p1 := '#userSuppliedValue#' > > cfquery/ > execute #appName#_someIdentifier using @p1 > > That sure is a lot of cfquery tags, considering you'd need an extra cfquery > for each parameter. > But I wonder if that would totally break because CF could be executing > multiple queries in parallel through the same MySQL connection and the > interwoven execution of all of these queries might make them overlap and > overwrite each other's values. Is that about accurate? > > > > > 2009/4/16 David McGuigan <davidmcgui...@gmail.com> > > Am I correct in assuming ( after just having skimmed the topic with Google >> ) that to do that within CFML I'd have to drop into Java and use the MySQL >> Java API to achieve that? >> >> >> >> >> On Thu, Apr 16, 2009 at 10:36 AM, Dave Watts <dwa...@figleaf.com> wrote: >> >>> >>> > I've always been curious as to how cfqueryparam works. Does anyone know >>> if >>> > it just performs some scanning and filtering on the actual values of >>> the >>> > parameters passed to it or whether it somehow signals to the RDBMS that >>> the >>> > values are parameters to the query thereby treating an SQLI attack as >>> an >>> > escaped string or something? >>> >>> It builds a prepared statement. It doesn't scan or filter anything. >>> >>> > cfqueryparam errors when you try to use it outside a cfquery tag, which >>> > limits some of the stuff you can do with it. ( Like using cfsavecontent >>> to >>> > have various cffunctions append SQL to a query and then popping that >>> > variable inside of a cfquery tag ). >>> > >>> > Is there some other way to leverage the parameterized safety of >>> > cfqueryparam? Can you do it using pure SQL? The database driver? Any >>> ideas >>> > on how I could provide the same security outside of cfquery tags? >>> >>> You could build a prepared statement yourself. >>> >>> Dave Watts, CTO, Fig Leaf Software >>> http://www.figleaf.com/ >>> >>> Fig Leaf Software provides the highest caliber vendor-authorized >>> instruction at our training centers in Washington DC, Atlanta, >>> Chicago, Baltimore, Northern Virginia, or on-site at your location. >>> Visit http://training.figleaf.com/ for more information! >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321672 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
