cfqueryparam inside a cfif

Question

I am in the process of adding tags to all my URL & FORM query variables (to protect against recent SQL injection attacks) and have come up against a few challenges. If one of those form/URL variables are a condition within a statement, is it vulnerable to any attacks? Please see code examples 1 & 2. Also, how do I handle wrapping the following item in the tag: NumberFormat(Shipping,'99999.99')? Please see code example 3 for my first attempt at it (which throws an error). Thanks!

-__cfSearching__- · Answer

pja5362 wrote:> If one of those form/URL variables are a conditionwithin a statement, is it vulnerable to any attacks? > Please see code examples 1 & 2.I cannot say it is invulnerable to _any_ attacks, but #2seems like a reasonable approach. It does not use any of the usersupplied values directly in the sql. That and the fact that youhave set up a default "cfelse" case to handle any attempts to passinvalid values. Though personally I prefer switch/case myself. Butthat is just me.> Please see code example 3 for my first attempt at it(which throws an error).> If your value has decimal places, then CF_SQL_INTEGER isprobably the wrong data type.> <=>BTW, you do not need the extra # signs.> > -1> > 0> As an aside 1) The default case is missing. So the querywould fail if the value was something other than "on" or "". 2) Evaluate is probably unnecessary. You can use arraynotation to reference dynamic variable names: #FORM["hidden_"& counter]#

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded