leesiulung wrote:
> I'm looking for ways to prevent SQL injection attack and
happen to find an
> excellent article by Ben Forta:
>
>
http://br.sys-con.com/read/165921.htm
>
> However, he does not mention how to prevent fields that
contains strings, such
> as names. Doing an IsValid("string", fieldnames) does
not prevent someone
> putting in SQL into a field when validating the data.
>
> Bottom line is: How do one validate fields that contains
strings to prevent
> someone from injecting sql?
>
<CFqueryparam ...> This is one of the biggest reasons
for using this
tag, to prevent SQL injection. By doing this all your query
values are
turned into parameter variables. Thus any passed in strings
are not put
directly into your SQL string, but passed seperatly as
identified and
typed pieces of data. Thus if you tell your DBMS that a value
is a
string, that database says this is a string and I will put
all its
characters into the field.
Thus if anybody tries to pass a SQL injection string to your
query, all
that happens is you save all the characters into your
database, or as
many as the field allows.
Use <CFQueryParam...> always, it is your friend.