> We have been working to secure our cfquery statements throughout our site > using > cfqueryparam and I have come upon the following format: > > <cfquery datasource="#this.dsn#" name="myQuery" username="#Request.username#" > password="#Request.password#"> > #PreserveSingleQuotes(sql)# > </cfquery> > > My question is, (and I'm pretty sure it's no, but had to ask anyway) can you > put a > cfqueryparam around the variable above? If so, what would be the cfsqltype > for this > since it's passing an entire query?
No, you can't do that. > If this is not possible, (which I'm 95% sure it's not) is this secure from > SQL attacks? No, it isn't. > If not, what would you recommend doing to secure this more? You really can't take a block of unknown text and make it "secure". CFQUERYPARAM relies on the ability to separate SQL "code" from "data". The code needs to be executed. The data can be mapped to placeholders. So, your best bet is to make your SQL a bit less dynamic. If that's not an option, you could limit the functionality exposed to the datasource login used by this dynamic SQL to the bare minimum necessary to run the query. You'd do that configuration within your database server, of course. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:334059 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
