Question
cfqueryparam question
Hello,
We recently found ourselves dealing with a nasty SQL code injection issue. I have implemented a few stop-gaps while I do something I should have been doing - Adding <cfqueryparam> to all my dynamic queries.
My affected database has about 20 tables for each of about 20 areas, so there's an Adata, Bdata, Cdata, etc. In my dynamic queries A,B, or C is a variable defined in a SESSION when the user logs in. So if I'm the guy from "A" all my tablenames in queries will be prepended with "A" via a session var.
My question is this;
In this query
SELECT ID
FROM #SESSION.ID.area#members
WHERE ID = #form.newID#
I am going to update the #form.newID# with CFQUERYPARAM, is there any threat with the SESSION variable, and if so how would I protect it and retain my dynamic abilities?
Also, 95% of my columns are nvarchar(255) due to the actual necessity of storing a lot of data. I know using cfqueryparam even with (whichever type matches) this type declaration will prevent code executing on the server, but doesn't it still allow it to be written, due to it still being text? And won't it still execute if called to a browser?
We recently found ourselves dealing with a nasty SQL code injection issue. I have implemented a few stop-gaps while I do something I should have been doing - Adding <cfqueryparam> to all my dynamic queries.
My affected database has about 20 tables for each of about 20 areas, so there's an Adata, Bdata, Cdata, etc. In my dynamic queries A,B, or C is a variable defined in a SESSION when the user logs in. So if I'm the guy from "A" all my tablenames in queries will be prepended with "A" via a session var.
My question is this;
In this query
SELECT ID
FROM #SESSION.ID.area#members
WHERE ID = #form.newID#
I am going to update the #form.newID# with CFQUERYPARAM, is there any threat with the SESSION variable, and if so how would I protect it and retain my dynamic abilities?
Also, 95% of my columns are nvarchar(255) due to the actual necessity of storing a lot of data. I know using cfqueryparam even with (whichever type matches) this type declaration will prevent code executing on the server, but doesn't it still allow it to be written, due to it still being text? And won't it still execute if called to a browser?
AdChoices