[thelist] ColdFusion but mostly SQL question
.jeff
jeff at members.evolt.org
Sun Jul 28 19:26:01 CDT 2002
Josh,
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Josh
>
> I have a huge website with many form entries and url
> variables. I just realized that anybody can come along
> and insert sql code into my variables and have it
> executed. What is the quickest and easiest way I fix
> this?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
Well, it depends alot on what datatype your form and url variables are that you're using in the sql statements. if they're all numbers, then simply wrapping their use in the sql statements with the Val() function should take care of the problem for ya. so, instead of this:
SELECT foo
FROM bar
WHERE id = #url.bar_id#
change it to this:
SELECT foo
FROM bar
WHERE id = #Val(url.bar_id)#
now, if you're using strings in some of your statements then you need to take a look at the <cfqueryparam> tag.
good luck,
.jeff
http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/
More information about the thelist
mailing list