Table of Contents
Advertisement
DEVELOPING COLDFUSION 9 APPLICATIONS
Accessing and Using Data
Enhancing security with cfqueryparam
Some DBMSs let you send multiple SQL statements in a single query. However, hackers sometimes try to modify URL
or form variables in a dynamic query by appending malicious SQL statements to existing parameters. Be aware of
potential security risks when you pass parameters in a query string. These risks can exist in many development
environments, including ColdFusion, ASP, and CGI. Using the
About query string parameters
When you let a query string pass a parameter, ensure that only the expected information is passed. The following
ColdFusion query contains a WHERE clause, which selects only database entries that match the last name specified in
the LastName field of a form:
<cfquery name="GetEmployees" datasource="cfdocexamples">
SELECT FirstName, LastName, Salary
FROM Employee
WHERE LastName='#Form.LastName#'
</cfquery>
Someone could call this page with the following malicious URL:
http://myserver/page.cfm?Emp_ID=7%20DELETE%20FROM%20Employee
The result is that ColdFusion tries to execute the following query:
<cfquery name="GetEmployees" datasource="cfdocexamples">
SELECT * FROM Employee
WHERE Emp_ID = 7 DELETE FROM Employee
</cfquery>
In addition to an expected integer for the Emp_ID column, this query also passes malicious string code in the form of
a SQL statement. If this query successfully executes, it deletes all rows from the Employee table—something you
definitely do not want to enable by this method. To prevent such actions, evaluate the contents of query string
parameters.
Using cfqueryparam
You can use the
cfqueryparam
statement. This tag evaluates variable values before they reach the database. You specify the data type of the
corresponding database column in the
because the Emp_ID column in the cfdocexamples data source is an integer, you specify a
:
cf_sql_integer
<cfquery name="EmpList" datasource="cfdocexamples">
SELECT * FROM Employee
WHERE Emp_ID = <cfqueryparam value = "#Emp_ID#"
</cfquery>
The
tag checks that the value of Emp_ID is an integer data type. If anything else in the query string is
cfqueryparam
not an integer, such as a SQL statement to delete a table, the
tag returns the following error message:
Invalid data '7 DELETE FROM Employee' for CFSQLTYPE 'CF_SQL_INTEGER'.
Using cfqueryparam with strings
When passing a variable that contains a string to a query, specify a
attribute, as in the following example:
maxLength
tag to evaluate query string parameters and pass a ColdFusion variable within a SQL
attribute of the
cfsqltype
cfsqltype = "cf_sql_integer">
cfquery
Last updated 8/5/2010
tag can reduce this risk.
cfqueryparam
tag. In the following example,
cfqueryparam
cfsqltype
tag does not execute. Instead, the
value of
cfsqltype
cf_sql_char
416
of
cfqueryparam
, and specify the
Advertisement
Table of Contents
