Purpose: Protect against SQL injection attack in Cold Fusion Query. ColdFusion allows dynamic database driven sites. While setting up such dynamic database driven content can allow for great sites security must be maintained. To protect against SQL injection attachs ColdFusion offers the CFQUERYPARAM Tag. Every CFQUERY tag that uses data provided by the web browser in the query should use this tag. For Example:<CFQUERY NAME="query_name" DATASOURCE="dsn" SELECT name FROM table WHERE column = <CFQUERYPARAM value = "#form.formfield#" CFSQLType = "CF_SQL_CHAR" MAXLENGTH="12"> </CFQUERY>"Macromedia recommends that you use the cfqueryparam tag within every cfquery tag, to help secure your databases from unauthorized users. For more information, see: Security Bulletin ASB99-04, "Multiple SQL Statements in Dynamic Queries". |
