10 Replies Latest reply: Mar 9, 2012 10:37 AM by morningdew77 RSS

    How to stop CFQUERYPARAM killing requests from search Results & legitmate bots crawling the site?


      A while ago I converted most queries to use cfqueryaparam to guard against injection attacks, among other things.  However I have recently noticed a slew of cfqueryparam generated errors specifically where a user clicks a URL from a search engine result set or when a crawler bot visits the site.

      The function in questions is a straight query in a CFC with the two param beign checked before they get in against CFARGUMENT data types

      <cfargument name="editionID" type="numeric" required="no" default="0" hint="Specifying edition ID will in most cases return a back issue">

      <cfargument name="publicationID" type="numeric" required="yes">

              SELECT *
              FROM articles a
                  INNER JOIN sections s on a.sectionID = s.sectionID
                  INNER JOIN edition e on a.editionID = e.editionID
                  INNER JOIN publications p on e.publicationID = p.publicationID
              WHERE p.publicationID = <cfqueryparam cfsqltype="cf_sql_integer" value="#arguments.publicationID#"> AND e.editionID =  <cfqueryparam cfsqltype="cf_sql_integer" value="#arguments.editionID#"></cfif>
              ORDER BY  a.isLead desc, a.leadPosition, a.sectionID


      Looking at the error reports, the query string is coming it exactly as it should (e.g., Query: action=3&articleID=1756&editionID=176 -- publication id is set in the request scope; article ID is used as filter), however CF fails to validate "176" as an integer, and the whole thing fails.


      I take off the cfqueryparam, and the exact same link which didn't work, does.


      Any insight would be appreciated,