Question
how to stop a hacker putting SQL in to your query strings
Hi there
i am looking for a way to "validate" data that arrives as part of the query string
for example if i have this..
<cfquery name="blah" datasource="blahblah">
select *
from tbl_blah
where something = #url.var#
</cfquery>
all's well and good until some bright spark edits the url and changes var to be something naughty (yesterday someone passed "drop database" to one of my pages in this way!)
is there a best practice for checking data that arrives as a url variable is of the correct type
thank you very much indeed.
PS currently if the passed data is text i tend to run a load of cfif's in the query
eg
<cfquery name="blah" datasource="blahblah">
select *
from tbl_blah
<cfif isdefined("url.var") and url.sex EQ 'blue'> WHERE var='blue'</cfif>
<cfif isdefined("url.var") and url.varEQ 'red'>WHERE var='red'</cfif>
</cfquery>
which is a bit of a pain - but what if the var is a number from 0 to 1000?! you can't have 1000 cfif statements in every query can you?!
thanks guys
i am looking for a way to "validate" data that arrives as part of the query string
for example if i have this..
<cfquery name="blah" datasource="blahblah">
select *
from tbl_blah
where something = #url.var#
</cfquery>
all's well and good until some bright spark edits the url and changes var to be something naughty (yesterday someone passed "drop database" to one of my pages in this way!)
is there a best practice for checking data that arrives as a url variable is of the correct type
thank you very much indeed.
PS currently if the passed data is text i tend to run a load of cfif's in the query
eg
<cfquery name="blah" datasource="blahblah">
select *
from tbl_blah
<cfif isdefined("url.var") and url.sex EQ 'blue'> WHERE var='blue'</cfif>
<cfif isdefined("url.var") and url.varEQ 'red'>WHERE var='red'</cfif>
</cfquery>
which is a bit of a pain - but what if the var is a number from 0 to 1000?! you can't have 1000 cfif statements in every query can you?!
thanks guys
AdChoices