> However about CFQUERYPARAM, keep in mind that: > - this will prevent SQL injection, not all form of attacks; > - CFQUERYPARAM makes all values look like "parameter 1"... in the error > messages, instead of the real values, not really handful when debugging; > - CFQUERYPARAM makes all queries more difficult to write AND to read for > programmers; > - disabling multiple statement execution in the database will prevent from > SQL injection as well. > - ending a query on an error because of CFQUERYPARAM will prevent the > injection, but will not give you any hint that it was really an attack. > > Personally I prefer checking crucial form and url parameters and eventually > ban the intruder before submiting the query.
This is silly contrarianism. Yes, CFQUERYPARAM only prevents SQL injection attacks. That's not a criticism. I've been using it for years, and I haven't found it significantly more difficult to read errors or debug query problems. Also, it is not the case that all SQL injection attacks require the ability to execute multiple statements. SQL injection attacks can be written within a single statement, although the attacker does lose some flexibility within that constraint. Hell, the Wikipedia page on SQL injection attacks lists as its first attack (an information disclosure attack) a single statement. Finally, how you trap errors is entirely up to you. CFQUERYPARAM is definitely more likely to be successful at preventing SQL injection attacks than your "checking crucial form and URL parameters". CFQUERYPARAM, by defining a separation between data and executable code, prevents them entirely. It prevents known SQL injection attacks, and is guaranteed to prevent as-yet-undiscovered SQL injection attacks in the future. You have no guarantee that you can prevent attacks entirely by attempting to filter them out individually. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344131 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
