[thelist] Security Tip

rudy r937 at interlog.com
Tue Apr 3 13:45:16 CDT 2001


><CFQUERY ..>
>  update tblfoo
> set hit = 1
> where id = #Val(URL.ID)#
></CFQUERY>
>
>That code would be not prone to the sort of attack you mentioned.

there's also CFQUERYPARAM which gives a lot more flexibility to the
validation -- integers, dates, decimal, etc.

 see  \cfdocs45\CFML_Language_Reference\2_ColdFusion_Tags\lr2_074.htm

    <CFQUERYPARAM VALUE="parameter value"
        CFSQLType="parameter type"
        MAXLENGTH="maximum parameter length"
        SCALE="number of decimal places"
        DBNAME="database name"
        NULL="Yes/No"    >

i like the examples they give at the bottom of this page, where a value is
submitted containing a semi-colon and another sql statement

rudy.ca





More information about the thelist mailing list