Skip to main content
A
Anonymous
August 29, 2008
Question

cfqueryparam with PreserveSingleQuotes

  • August 29, 2008
  • 2 replies
  • 1795 views
Hi all,

Is the following query safe against SQL injection attacks?

<cfquery name="AddRequestParams" datasource="MyDb">
INSERT INTO MyTable (Field)
VALUES (<cfqueryparam value = "#PreserveSingleQuotes(URL.Value)#">)
</cfquery>

I've read in several places that you should avoid using PreserveSingleQuotes with cfqueryparam, but seen no examples of why this would be dangerous. [Yes, there's no data type or length validation; I removed these for clarity.]

Any help is greatly appreciated.

Dave
    This topic has been closed for replies.

    2 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    September 1, 2008
    > Is the following query safe against SQL injection attacks?

    Yes. It is cfqueryparam that makes it safe. However, your query should be something like
    <cfquery name="AddRequestParams" datasource="MyDb">
    INSERT INTO MyTable (Field)
    VALUES (<cfqueryparam cfsqltype="cf_sql_varchar" value = "#URL.Value#">)
    </cfquery>

    > I've read in several places that you should avoid
    > using PreserveSingleQuotes with cfqueryparam

    That is true.

    > ... seen no examples of why this would be dangerous.

    I am not aware of any such danger either. The reason for not using preserveSingleQuotes with cfqueryparam is because the cfqueryparam tag automatically preserves single quotes.



    D
    Dan_Bracuk
    Inspiring
    August 29, 2008
    preservesinglequotes serves no useful purpose in your example, with or without cfqueryparam.

    preservesinglequotes is used like this:

    sql = "select somefields from sometables where somefield = '#somevariable#' ;

    <cfquery>
    #preservesinglequotes(sql)#
    </cfquery>
    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices