Table of Contents
Advertisement
•
Do not use the
property. If you do, you get one copy of the output for each row. Instead, prefix
ColumnList
the variable with the name of the query.
Enhancing security with cfqueryparam
Some DBMSs let you send multiple SQL statements in a single query. However, hackers might
try to modify URL or form variables in a dynamic query by appending malicious SQL statements
to existing parameters. Be aware that there are potential security risks when you pass parameters
in a query string. This can happen in many development environments, including ColdFusion,
ASP, and CGI. Using the
About query string parameters
When you let a query string pass a parameter, ensure that only the expected information is passed.
The following ColdFusion query contains a WHERE clause, which selects only database entries
that match the last name specified in the LastName field of a form:
<cfquery name="GetEmployees" datasource="CompanyInfo">
SELECT FirstName, LastName, Salary
FROM Employee
WHERE LastName='#Form.LastName#'
</cfquery>
Someone could call this page with the following malicious URL:
http://myserver/page.cfm?Emp_ID=7%20DELETE%20FROM%20Employee
The result is that ColdFusion tries to execute the following query:
<cfquery name="GetEmployees" datasource="CompanyInfo">
SELECT * FROM Employee
WHERE Emp_ID = 7 DELETE FROM Employee
</cfquery>
In addition to an expected integer for the Emp_ID column, this query also passes malicious string
code in the form of a SQL statement. If this query successfully executes, it deletes all rows from
the Employee table—something you definitely do not want to enable by this method. To prevent
such actions, you must evaluate the contents of query string parameters.
Using cfqueryparam
You can use the
variable within a SQL statement. This tag evaluates variable values before they reach the database.
You specify the data type of the corresponding database column in the
tag. In the following example, because the Emp_ID column in the CompanyInfo
cfqueryparam
data source is an integer, you specify a
<cfquery name="EmpList" datasource="CompanyInfo">
SELECT * FROM Employee
WHERE Emp_ID = <cfqueryparam value = "#Emp_ID#"
</cfquery>
tag
cfoutput
query
cfqueryparam
tag to evaluate query string parameters and pass a ColdFusion
cfqueryparam
cfsqltype = "cf_sql_integer">
attribute when you output the
tag can reduce this risk.
of
cfsqltype
cf_sql_integer
Enhancing security with cfqueryparam
or
RecordCount
attribute of the
cfsqltype
:
435
Advertisement
Table of Contents
Troubleshooting
Subscribe to Our Youtube Channel
Related Manuals for MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX
Related Products for MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX
- MACROMEDIA COLDFUSION MX 61-CFML
- MACROMEDIA COLDFUSION MX 61-GETTING STARTED BUILDING COLDFUSION MX
- MACROMEDIA COLDFUSION MX 61 - INSTALLING COLDFUSION MX FOR IBM WEBSPHERE APPLICATION SERVER
- MACROMEDIA COLDFUSION MX 61 - CONFIGURING AND ADMINISTERING COLDFUSION MX
- MACROMEDIA COLDFUSION MX 7.0.2-USING COLDFUSION MX WITH FLEX 2
- MACROMEDIA 38000382 - Macromedia JRun - Mac
- MACROMEDIA 38028779 - Macromedia Dreamweaver - Mac
- MACROMEDIA BREEZE
Need help?
Do you have a question about the COLDFUSION MX 61-DEVELOPING COLDFUSION MX and is the answer not in the manual?
Questions and answers