This content has been marked as final. Show 2 replies
> I have a general ColdFusion security question. If I am using cfqueryparam and
> the cfl_sqltype is varchar can SQL injection code get passed to my database. I
> had someone tell me that the quotes get striped off. I don't beleive that is
> true. Can someone give me the breakdown on that please.
And it is not true because <cfqueryparam> passes the data as a 'bind'
parameter to the database management systems that can use them. That is
what you want to read up on to get a full understanding of the process.
Basically it separates data variables and tells the database that these
are data variables and will NEVER EVER contain executable SQL so don't
even bother trying to parse it.
WHERE bField = #someValue#
In this use case ColdFusion process the entire block between the
<cfquery...> tags into a single string and sends it the database.
ColdFusion nor the database has any idea what is data and what is SQL
commands so it will parse any it finds.
WHERE bField = <cfqueryparam value="#someValue#"
In this case ColdFusion will seperate the query param and send it
seperatly as the above mentioned bind parameter which both CF and modern
database management systems understand to be data and will never process
any SQL syntax it might contain. It the pareses the rest of the SQL
into a string that it sends to the database to be parced, using the