Adobe Community: cfqueryparam question

Currently Being Moderated

1. Dan Bracuk,

Aug 3, 2012 6:05 AM in reply to lwfg

Report

Cfqueryparam will escape certain symbols such as apostrophes so you don't have to worry about it.

If you are sending htmlformtatted strings as part of your query string, with or without cfqueryparam, the database will process the string that was sent. That means spaces will be converted to %20, and so on.

I don't understand your question about keywords.

|

Mark as:

Currently Being Moderated

2. lwfg,

Aug 3, 2012 6:18 AM in reply to Dan Bracuk

Report

When queries are parameterized, do I still need to make sure things like a ';' or '--' or 'drop' or 'delete' aren't in data someone's entering in a form?

|

Mark as:

Currently Being Moderated

3. Dan Bracuk,

Aug 3, 2012 7:04 AM in reply to lwfg

Report

No you do not need to worry about that. However, you do have to worry about script injection.

|

Mark as:

Currently Being Moderated

4. lwfg,

Aug 3, 2012 7:28 AM in reply to Dan Bracuk

Report

Would htmleditformat() would protect against that ?

|

Mark as:

Currently Being Moderated

5. Dan Bracuk,

Aug 3, 2012 8:27 AM in reply to lwfg

Report

If you store what you collected, and use htmleditformat for displaying the data, the js will not execute. However, if you are using a rich textarea to collect the data, you might have a problem because that data will include html tags.

If you go to cfilb.org you will find a useful function called safetext. It strips the nefarious tags and preserves the benign ones.

|

Mark as:

ColdFusion

cfqueryparam question

Aug 3, 2012 5:00 AM

More Like This

Bookmarked By (0)

Answers + Points = Status