[thelist] ColdFusion but mostly SQL question

.jeff jeff at members.evolt.org
Sun Jul 28 19:26:01 CDT 2002


Josh,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Josh
>
> I have a huge website with many form entries and url
> variables.  I just realized that anybody can come along
> and insert sql code into my variables and have it
> executed.  What is the quickest and easiest way I fix
> this?
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

Well, it depends alot on what datatype your form and url variables are that you're using in the sql statements.  if they're all numbers, then simply wrapping their use in the sql statements with the Val() function should take care of the problem for ya.  so, instead of this:

SELECT foo
  FROM bar
 WHERE id = #url.bar_id#

change it to this:

SELECT foo
  FROM bar
 WHERE id = #Val(url.bar_id)#

now, if you're using strings in some of your statements then you need to take a look at the <cfqueryparam> tag.

good luck,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/





More information about the thelist mailing list