Coldfusion security techniques

[ice78991]

When passing query parameters in a url, what is the best way to protect against people adding malicious sql commands to the url. I am aware that <cfqueryparam> offers some protection but if you need to set the maxlength to say 20 and you are passing a CF_SQL_VARCHAR it seems that malicious commands could still be tacked on.

Is it common practice to run an additional check of the passed url value before using it in the query (scanning the url variable for words such as 'drop' or for inclusion of semi-colons etc) ?

 

[imstillatwork]

Using cfqueryparam makes it so that even if a command is tacked on, it can not run. it becomes only a string, not an executed command in the SQL.

You SHOULD check existence, length, data type, etc on your own for error control.

Test it yourself, you won't get any SQL to run through the url with cfqueryparam

cfqueryparam also have max length attributes too.

Kevin

http://www.lot-o-nothin.com/cfml/

Phase 1: Read the CFML Reference
Phase 2: ???
Phase 3: Profit!