Excellent points! Thanks Dave, and everyone who took the time to reply to /
read this thread.
Moral lessons learned:
1) Don't go crazy with tightening security around SQL statements. Only
secure the vulnerable;
2) Whenever possible, think of using native CF functions to simplify code.
:-)
BTW,
Why not pass both to the proc, then rewrite the proc so that rather than
testing for it's existence, you're testing for whether or not it's blank?
-Original Message-
From: Qing Xia [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 22, 2008 9:21 AM
To: CF-Talk
Subject: writing protected CF
Yup, you're making sense. The way around it is to pass NULL in using:
cfprocparam null=true
Adrian
-Original Message-
From: Qing Xia [mailto:[EMAIL PROTECTED]
Sent: 22 July 2008 15:21
To: CF-Talk
Subject: writing protected CF with CFStoredProc
Hello folks:
The discussion yesterday
What's wrong with using:
cfquery ...
exec sps_testproc
cfif whichvar = A
@aid=cfqueryparam value=123 cfsqltype=cf_sql_integer
cfelse
@bid=cfqueryparam value=456 cfsqltype=cf_sql_integer
/cfif
/cfquery
Oh yeah, you are right, of course. There is no NULL in CF so if I do a
Value=NULL that will only confuse SQL.
Cool, thanks!
On Tue, Jul 22, 2008 at 10:27 AM, Adrian Lynch [EMAIL PROTECTED]
wrote:
Yup, you're making sense. The way around it is to pass NULL in using:
cfprocparam null=true
True! I can certainly do this as well.
On Tue, Jul 22, 2008 at 10:40 AM, morgan l [EMAIL PROTECTED] wrote:
What's wrong with using:
cfquery ...
exec sps_testproc
cfif whichvar = A
@aid=cfqueryparam value=123 cfsqltype=cf_sql_integer
cfelse
In your example you are altering the behavior of the query based upon input
which does not affect injection attacks. The idea of protecting against
injection attacks is to stop invalid values from being executed within the
query/SP.
Take for example this query:
delete from customer where
The discussion yesterday regarding using CFqueryparam to
protect sites from SQL Injection attacks got me thinking.
Well, it is easy enough to use CFQUERYPARAM everywhere inside
CFQUERY tags, wherever a variable is passed to the SQL query.
However, how do you do that with CFStoredProc?
Say you had a proc that looked like this:
CREATE PROC sps_testproc
@AID int = null,
@BID int = null
as
IF @AID is not null
SELECT @AID
IF @AID is not NULL
SELECT @BID
If I was using CFQUERY, unprotected-style, I might write this:
cfquery ...
9 matches
Mail list logo