1 Reply Latest reply on Aug 28, 2008 4:57 PM by -==cfSearching==-

    cfqueryparam inside a cfif

    pja5362
      I am in the process of adding <cfquerypram> tags to all my URL & FORM query variables (to protect against recent SQL injection attacks) and have come up against a few challenges. If one of those form/URL variables are a condition within a <cfif> statement, is it vulnerable to any attacks? Please see code examples 1 & 2.

      Also, how do I handle wrapping the following item in the <cfqueryparam> tag: NumberFormat(Shipping,'99999.99')? Please see code example 3 for my first attempt at it (which throws an error).

      Thanks!
        • 1. Re: cfqueryparam inside a cfif
          -==cfSearching==- Level 4
          pja5362 wrote:
          > If one of those form/URL variables are a condition within a <cfif> statement, is it vulnerable to any attacks?
          > Please see code examples 1 & 2.

          I cannot say it is invulnerable to _any_ attacks, but #2 seems like a reasonable approach. It does not use any of the user supplied values directly in the sql. That and the fact that you have set up a default "cfelse" case to handle any attempts to pass invalid values. Though personally I prefer switch/case myself. But that is just me.


          > Please see code example 3 for my first attempt at it (which throws an error).
          > <cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#NumberFormat(Shipping,'99999.99')#"/>

          If your value has decimal places, then CF_SQL_INTEGER is probably the wrong data type.


          > <cfif #form.condition2# IS "less"><<cfelseif #form.condition2# IS "exactly">=<cfelse>></cfif>

          BTW, you do not need the extra # signs.

          > <cfif Evaluate("Hidden_#counter#") IS "on">
          > -1
          > <cfelseif Evaluate("Hidden_#counter#") IS "">
          > 0
          > </cfif>

          As an aside
          1) The default <cfelse> case is missing. So the query would fail if the value was something other than "on" or "".
          2) Evaluate is probably unnecessary. You can use array notation to reference dynamic variable names:

          #FORM["hidden_"& counter]#