I was just doing some more reading about this problem. Stored procedures are still susceptible to SQL injection *if* they dynamicly modify the query based on the user input. But from what I can see, coldfusion uses parameterised queries which should be safe. At least I can't find any particular mention of exploits for them online (yet ;) )
My concern was that any time you are accepting string input from a user, the data still needs to be sanitised before use, and cf_sql_varchar is still just a string. A string by any other name would be just as vulnerable. SO yes, my only concern is that it can accept text, but that text does not appear to get executed by the db, which is a good thing :) As Zac points out, the data is still potentialy dangerous as a possible XSS attack later on (client side, not server side). But as for my concern about SQL attacks, I'm more comfortable now about using cfqueryparams. On Jun 30, 3:00 pm, Ross <[EMAIL PROTECTED]> wrote: > Not exactly sure why you believe cf_sql_varchar is more unsecure > compared to the other cf sql types? Other than it can accept text? > > Things might have changed in recent times but when I was using CF7 & > SQL2000 this was how things worked. > The reason why using CFQUERYPARAM to pass data is so much better than > not using it is that your query is transformed in to temporary stored > procedure. This is great because then you have all the protection of > calling a stored proc. In short your data is separated from your > executing SQL instead of SQL parsing and executing the code on the > fly. > > Ross > > On Jun 30, 4:15 pm, nedlud <[EMAIL PROTECTED]> wrote: > > > Hi, > > > I'm a bit concerned about Coldfusions security vrs SQL injection > > attacks. As a rule I use CFQUERYPARAM s for all parameters going into > > a query (I use MySql as my db, if that makes any difference). > > > But it seems to me that the cf_sql_varchar type is still a liability > > since you can effectively pass any string into taht field. So what's > > to stop people from trying an injection there? Setting the length on > > the string, as the live docs suggest, seems a particularly lame > > defence. > > > Any comments or suggestions for how I should deal with this? > > > I've done some googling and keep coming up empty with solutions > > applicable to CF. > > > Am I really going to have to check all string parameters myself before > > passing them into the db? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
