I am in the process of adding <cfquerypram> tags to all
my URL & FORM query variables (to protect against recent SQL
injection attacks) and have come up against a few challenges. If
one of those form/URL variables are a condition within a
<cfif> statement, is it vulnerable to any attacks? Please see
code examples 1 & 2.
Also, how do I handle wrapping the following item in the
<cfqueryparam> tag: NumberFormat(Shipping,'99999.99')? Please
see code example 3 for my first attempt at it (which throws an
> If one of those form/URL variables are a condition
within a <cfif> statement, is it vulnerable to any attacks?
> Please see code examples 1 & 2.
I cannot say it is invulnerable to _any_ attacks, but #2
seems like a reasonable approach. It does not use any of the user
supplied values directly in the sql. That and the fact that you
have set up a default "cfelse" case to handle any attempts to pass
invalid values. Though personally I prefer switch/case myself. But
that is just me.
> Please see code example 3 for my first attempt at it
(which throws an error).
> <cfqueryparam cfsqltype="CF_SQL_INTEGER"
If your value has decimal places, then CF_SQL_INTEGER is
probably the wrong data type.
> <cfif #form.condition2# IS "less"><<cfelseif
#form.condition2# IS "exactly">=<cfelse>></cfif>
BTW, you do not need the extra # signs.
> <cfif Evaluate("Hidden_#counter#") IS "on">
> <cfelseif Evaluate("Hidden_#counter#") IS "">
As an aside
1) The default <cfelse> case is missing. So the query
would fail if the value was something other than "on" or "".
2) Evaluate is probably unnecessary. You can use array
notation to reference dynamic variable names: