I myself use SP's whenever possible (there are times when this isn't possible). However, it's beneficial to correctly outline what <cfqueryparam> does, for those people on the list that should be using <cfqueryparam>.
----- Original Message ----- From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 2:03 pm Subject: RE: RE: RE: Preventing SQL injection attacks...? > i will have to take your word for it since i have probably never > use cfquery > param, nor intend to. i personally always use stored procedures > and i do all > of my validation myself. if cfqueryparam works for you, then use > it and god > bless. i have been taught differently and personally i don't think > i would > trust it. > > Anthony Petruzzi > Webmaster > 954-321-4703 > [EMAIL PROTECTED] > http://www.sheriff.org > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 12, 2002 3:24 PM > To: CF-Talk > Subject: Re: RE: RE: Preventing SQL injection attacks...? > > > No, it won't. > > It'll produce the SQL equivalent of: > > select * from mytable where username = 'tony ''drop table > tablename --' > > ----- Original Message ----- > From: [EMAIL PROTECTED] > Date: Friday, April 12, 2002 11:46 am > Subject: RE: RE: Preventing SQL injection attacks...? > > > still. if i had the value > > > > tony ' drop table tablename-- > > > > and a cfqueryparam with a type of CF_SQL_VARCHAR > > > > it would still pass in the value as such > > > > select * from mytable where username = 'tony ' drop table > > tablename--' > > > > which would cause the table to be dropped. > > > > > > Anthony Petruzzi > > Webmaster > > 954-321-4703 > > [EMAIL PROTECTED] > > http://www.sheriff.org > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Friday, April 12, 2002 1:45 PM > > To: CF-Talk > > Subject: Re: RE: Preventing SQL injection attacks...? > > > > > > <cfqueryparam> does in fact prevent that code from running. > > <cfqueryparam> creates a prepared statement with parameters. It > > then > > compares what you've entered as a value with the datatype you've > > specified and, if successful, binds the parameters with what > > you've > > entered. So, if you entered: > > > > select * from table where id = <cfqueryparam value="#url.id#" > > cfsqltype="CF_SQL_DECIMAL"> > > > > and then in your url entered: id=12;drop table yourtable > > > > It would through you an error. > > > > As well, if you had: > > > > select * from table where id = <cfqueryparam value="#url.id#" > > cfsqltype="CF_SQL_VARCHAR"> > > > > It would create the equivalent SQL statement of: > > > > select * from table where id = '12;drop table yourtable' > > > > ----- Original Message ----- > > From: [EMAIL PROTECTED] > > Date: Friday, April 12, 2002 11:00 am > > Subject: RE: Preventing SQL injection attacks...? > > > > > let's say you have a text field that is 100 characters long. > you > > > can still > > > get a "drop table tablename" appended to the sql statement or > > > write an > > > entire sql statment. Cfqueryparam was meant to speed up > cfquery, > > > not be to a > > > cure all. > > > > > > Anthony Petruzzi > > > Webmaster > > > 954-321-4703 > > > [EMAIL PROTECTED] > > > http://www.sheriff.org > > > > > > > > > -----Original Message----- > > > From: Zac Spitzer [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, April 12, 2002 1:06 PM > > > To: CF-Talk > > > Subject: Re: Preventing SQL injection attacks...? > > > > > > > > > [EMAIL PROTECTED] wrote: > > > > > > >you can't forget that form fields also play a part in this. > > after > > > reading>the informaiton provided in jeff's link, it did shine > a > > > light. although i > > > >have been taught from the beginning to always use val() > around > > > numberic>values (thank Adam) and to use regex to validate text > > > input (props > > > Raymond). > > > >if your anal and take the time to make sure that the > > information that > > > people > > > >are passing you is in the extact fomrat you want, you > shouldn't > > > have a > > > >problem. also, don't rely on javascript, i always do server- > > side > > > validation>even after client side, just to make certain. i > even > > go > > > as far as putting > > > as > > > >much validation as i can into my stored procedures and > > triggers. > > > although>SQL server doesn't support regular expressions , > which > > > sucks! anyone know a > > > >way it could? > > > > > > > why not just use cfqueryparam, it validates and it makes your > > sql > > > code > > > run faster??? > > > > > > > > > > > > > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
