After you've been coding for a few months, one of the more important lessons you learn is how to avoid SQL-injection attacks. Generally, this is done with the help of a language-specific function, which strips/escapes/wraps characters appropriately.

Using this ColdFusion example, everything works as expected:

<cfquery name="test">
  SELECT myfield
  FROM mytable
  WHERE myid = <cfqueryparam value="#url.id#">
</cfquery>

Given that the URL scope pulls from the query string, this value could be manipulated by any malicious user, to wreak havoc on your database. CFQueryParam, of course, prevents this from happening.

But, with safeguards generally come consequences, although they are better than the alternative. Try the query below using cfqueryparam:

<cfquery name="test">
  SELECT myfield
  FROM mytable
  WHERE myid = <cfqueryparam value="#url.id#">
  LIMIT <cfqueryparam value="#url.count#">
</cfquery>

You get an SQL error. This is because cfqueryparam wraps the LIMIT parameter in single quotes. A string is given, where an integer is expected.

You language may have a way to deal with this, but if not, one method is to use your languages "cast to integer" function.

By casting url.count to an integer, you would effectively strip any malicious SQL-injection commands.

But, as stated before, your language may have a way to deal with this. In the case of ColdFusion, if you supply a cfsqltype parameter, it will handle it properly:

<cfquery name="test">
  SELECT myfield
  FROM mytable
  WHERE myid = <cfqueryparam value="#url.id#" cfqsqltype="CF_SQL_TINYINT">
</cfquery>

Leave a Reply

Your email address will not be published. Required fields are marked *