[thelist] Security Tip
rudy
r937 at interlog.com
Tue Apr 3 13:45:16 CDT 2001
><CFQUERY ..>
> update tblfoo
> set hit = 1
> where id = #Val(URL.ID)#
></CFQUERY>
>
>That code would be not prone to the sort of attack you mentioned.
there's also CFQUERYPARAM which gives a lot more flexibility to the
validation -- integers, dates, decimal, etc.
see \cfdocs45\CFML_Language_Reference\2_ColdFusion_Tags\lr2_074.htm
<CFQUERYPARAM VALUE="parameter value"
CFSQLType="parameter type"
MAXLENGTH="maximum parameter length"
SCALE="number of decimal places"
DBNAME="database name"
NULL="Yes/No" >
i like the examples they give at the bottom of this page, where a value is
submitted containing a semi-colon and another sql statement
rudy.ca
More information about the thelist
mailing list