coldfusion cookbook

Site menu:

Welcome | Categories | FAQ | Submit

How can I prevent SQL injection attacks?

SQL injection attacks occur when a client manipulates a web page to pass invalid data to a query. This can be down to force errors, bypass security, or even delete data. The <cfqueryparam> tag prevents SQL injection by binding values into the query; the bound values cannot be interpreted as SQL. It also results in faster queries.

<cfquery name="QCheckUser" datasource="blahblah">
  SELECT *
    FROM USERS
   WHERE username = '#FORM.username#' 
     AND password = '#FORM.password#'
</cfquery>

becomes

<cfquery name="QCheckUser" datasource="blahblah">
  SELECT *
    FROM USERS
   WHERE username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.username#"> 
     AND password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.password#">
</cfquery>

In general, <cfqueryparam> should be used whenever a dynamic attribute is specified in a query.

This question was written by James Holmes
It was last updated on January 19, 2006.

Categories

Database / SQL

Comments

comments powered by Disqus

Search:

More information:

The following are links to other sites that provide important ColdFusion information and resources.

CFLib.org | Adobe ColdFusion Blog |

RSS

RSS Feed

Created by Raymond Camden. Design by Andreas Viklund. Header design by Kyle Hayes.