Skip to main content
S
sunshinerc
Participant
March 27, 2009
Answered

CFQUERYPARAM - Can it work without throwing an error?

  • March 27, 2009
  • 4 replies
  • 1109 views
I am using CFQUERYPARAM with great success in application; my problem is all application errors are emailed to a queue that is closely watched by a supervisor. So unless I put a try/catch around every single query, I get an email whenever a hack attempt or badly formed variable is passed in an URL string to any page on the site. We are using the cferror tag (<cferror type="EXCEPTION"...) to catch errors thrown by ColdFusion. Any suggestions how I can make CFQUERYPARAM mismatches either not thrown or ignored by CFERROR?
This topic has been closed for replies.
Correct answer Dan_Bracuk
quote:
Originally posted by: sunshinerc
I am using CFQUERYPARAM with great success in application; my problem is all application errors are emailed to a queue that is closely watched by a supervisor. So unless I put a try/catch around every single query, I get an email whenever a hack attempt or badly formed variable is passed in an URL string to any page on the site. We are using the cferror tag (<cferror type="EXCEPTION"...) to catch errors thrown by ColdFusion. Any suggestions how I can make CFQUERYPARAM mismatches either not thrown or ignored by CFERROR?

Validate all user inputs before they get to your cfquery tag.

4 replies

BKBK
Community Expert
BKBKCommunity Expert
Community Expert
March 29, 2009
I get an email whenever a hack attempt or badly formed variable is passed in an URL string to any page on the site.

Count yourself lucky.

We are using the cferror tag (<cferror type="EXCEPTION"...) to catch errors thrown by ColdFusion. Any suggestions how I can make CFQUERYPARAM mismatches either not thrown or ignored by CFERROR?

You mean you want to be oblivious to the fact that a hacker is chiseling away at your site?

-
-__cfSearching__-
Inspiring
March 30, 2009
sunshinerc wrote:
my problem is all application errors are emailed to a queue that is closely watched by a supervisor

BKBK wrote:
> You mean you want to be oblivious to the fact that a hacker is chiseling away at your site?

It sounded as if they they just did not want their supervisor to be emailed in those conditions, and would send them to an alternate address. Though the obvious lack of validation should be corrected as well.

N
Newsgroup_User
Inspiring
March 28, 2009
> Validate all user inputs before they get to your cfquery tag.

Agreed: this would be the best approach. The data should be being checked
as much as possible - especially if it's from user input, malicious or
otherwise - before getting to the point of trying to put it in the DB.

--
Adam
D
Dan_BracukCorrect answer
Inspiring
March 28, 2009
quote:
Originally posted by: sunshinerc
I am using CFQUERYPARAM with great success in application; my problem is all application errors are emailed to a queue that is closely watched by a supervisor. So unless I put a try/catch around every single query, I get an email whenever a hack attempt or badly formed variable is passed in an URL string to any page on the site. We are using the cferror tag (<cferror type="EXCEPTION"...) to catch errors thrown by ColdFusion. Any suggestions how I can make CFQUERYPARAM mismatches either not thrown or ignored by CFERROR?

Validate all user inputs before they get to your cfquery tag.
-
-__cfSearching__-
Inspiring
March 28, 2009
You might have a look at what type of exception is thrown in these two cases (ie coldfusion.runtime.WrongSomethingException, ecetera). Assuming they are not broad types like java.lang.Exception, you could modify your error handler to ignore them.
Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices