Skip to main content
A
Anonymous
August 3, 2012
Answered

cfqueryparam question

  • August 3, 2012
  • 1 reply
  • 1087 views

Is it necessary to keep keywords and certain symbols out of data if cfqueryparam and htmleditformat() are used ?

    This topic has been closed for replies.
    Correct answer Dan_Bracuk

    Would htmleditformat() would protect against that ?


    If you store what you collected, and use htmleditformat for displaying the data, the js will not execute.  However, if you are using a rich textarea to collect the data, you might have a problem because that data will include html tags.

    If you go to cfilb.org you will find a useful function called safetext.  It strips the nefarious tags and preserves the benign ones.

    1 reply

    D
    Dan_Bracuk
    Inspiring
    August 3, 2012

    Cfqueryparam will escape certain symbols such as apostrophes so you don't have to worry about it.

    If you are sending htmlformtatted strings as part of your query string, with or without cfqueryparam, the database will process the string that was sent.  That means spaces will be converted to %20, and so on.

    I don't understand your question about keywords.

    A
    Anonymous
    August 3, 2012

    When queries are parameterized, do I still need to make sure things like a ';' or '--' or 'drop' or 'delete' aren't in data someone's entering in a form?

    D
    Dan_Bracuk
    Inspiring
    August 3, 2012

    No you do not need to worry about that.  However, you do have to worry about script injection. 

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices