Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

first time using cfqueryparam

Status
Not open for further replies.
lucidtech

lucidtech

IS-IT--Management
Jan 17, 2005
267
US
I'm using the cfqueryparam tag for the first time (this is my first public web-site using Coldfusion). I've read that the "maxlength" setting can prevent people from inputting malicious query statments into the database.... I was wondering what the maximum I should set the "maxlength" parameter to in order to keep users from doing this. How long is a malicious SQL statement?

Also, I have forms where users can fill in information about themselves... how do I keep these malicious strings from being inserted when I have the maxlength set to 1000 characters? I've thought about using character restrictions, but was curious if there is a different way.
 
Sort by date Sort by votes
I'd set the maxlength attribute to the max size of the field within your database. so if you have a text field that is 50 characters, set the maxlength of the queryparam to 50.

Instead of using the maxlength attribute, I'd make sure what you pass to the queryparam is safe in the first place. have a look at this function:


it will remove potential sql injection characters from your strings passed.

Hope this helps!

Tony
 
Upvote 0 Downvote
Thank you so much, Tony! That was exactly what I was looking for, and thought I was doomed to have to hard-code it myself. Much appreciated :)
 
Upvote 0 Downvote
<cfqueryparam will already DO that...

whatever the value of cfqueryparam, it is CAST as the proper data type and NON-EXECUTABLE - It can't run as SQL during the query compilation or execution - it has been cast to a specific datatype (int, varchar, etc) using cfqueryparam is nearly the same as createing a 'prepared statement' which would manually do the same.

there is no need for the extra CFLib UDF if you are using cfqueryparam - and cfqueryparam is able to be used in cached queries as of CF8 - woo hooo!

Kevin
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

LyndonOHRC
  • Locked
  • Question
Need help using ImageCrop()
Replies
1
Views
247
LyndonOHRC
LyndonOHRC
Mike Lewis
  • Locked
  • Question
Using Dreamweaver to maintain a site not created in Dreamweaver
Replies
2
Views
744
Mike Lewis
Mike Lewis
ChitradeviSelvam
  • Locked
  • Question
Facing issues with Coldfusion server-it is going down at peak usage time
Replies
1
Views
250
Wullie
Wullie
lwfg
  • Locked
  • Question
cfqueryparam-testing for null
Replies
2
Views
204
lwfg
lwfg
Klyphq
  • Locked
  • Question
cfqueryparam syntax issue
Replies
7
Views
290
cfSearching
cfSearching

Part and Inventory Search

Sponsor

Back
Top