Even if your cfqueryparam is looking for a string (say you're using a UUID), you're still safe because they're passed in as arguments to a mnaufactured stored procedure. Ultimately, the db ends up doing something like this:
declare @p1 nvarchar(4000); select * from forums where threadid=@p1 EVEN if @p1 contains "5; truncate table topics" - you're safe here. the DB is simply going to compare the field to the entire string passed in. Rick On Thu, Mar 7, 2013 at 9:44 PM, Maureen <mamamaur...@gmail.com> wrote: > > At some point, you want to verify that you are passing an actual threadid > (to use your example) and not a sql statement that someone has appended to > the url as threadid. If you simply use the url variable you aren't doing > that. If your cfqueryparm is checking for an integer you would probably be > ok, but if your cfqueryparm is looking for a string and you aren't doing > any testing on the url variable before using it in the query, you're open > for problems. > > I rarely use url variables, but when I do I always check to make sure it > contains the type of data I am expecting it to contain. > > On Thu, Mar 7, 2013 at 6:08 PM, Rick Root <rick.r...@gmail.com> wrote: > > > > > How exactly are we asking for trouble by using URL variables within > > CFQUERYPARAMs? > > > > For example, a message board might link to a message topic with > > viewTopic.cfm?threadid=5 > > > > You can't do form posts for every call to your application, so I'm > curious > > as to how you propose doing this. > > > > <cfset myvar = url.threadId> > > > > And then use myVar? I just don't see the point. > > > > Rick > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354898 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
