How to help prevent sql injection with CF

Question

I'm trying to secure our site from possible SQL injection.
Currently our site uses several sql select statements w/in a
CFQUERY. I was able to pull extra data then intended using and
input field on our site. 
So how should I go about correcting this? 
I have read to use cfqueryparam for all form fields will
help. Is this enough. I have also read to create the script w/in
the the database as Stored Procedure instead of running them from
the web application.
Any help or advise would be great. Also any books written
about SQL injection and CF.
Thanks!

Dan_Bracuk · Answer

quote:Originally posted by: sic4730I'm trying to secure our site from possible SQL injection.Currently our site uses several sql select statements w/in aCFQUERY. I was able to pull extra data then intended using andinput field on our site.So how should I go about correcting this?I have read to use cfqueryparam for all form fields willhelp. Is this enough. I have also read to create the script w/inthe the database as Stored Procedure instead of running them fromthe web application.Any help or advise would be great. Also any books writtenabout SQL injection and CF.Thanks!cfqueryparam will help against sql but will do nothing toprotect you from other types of code injection, like javascript.There are other reasons to use it, but don't rely on it forsecurity.The best protection is to validate all input fields, be theyform, url, cookie, etc.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded