Hi,
I have some CF7 code with queries using <cfqueryparam..> that don't contain the maxlength parameter. For example:
<cfqueryparam value="#tktNum#" cfsqltype="CF_SQL_VARCHAR" >
The queries all run fine but is this totally useless in terms of sql injection protection? Is it doing anything helpful?
Thanks in advance,
Richard
No, it's not useless as far as safe-guarding against SQL injection goes because params are treated as values not SQL, so will not be executed.
The only thing the maxlength does is (as far as I know) to do length-check validation on CF's end of things before sending it to the DB... this saves a DB hit if the data wouldn't "fit" anyhow.
It's good to have the length check on if poss, but not the end of the world to not have it.
--
Adam
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
AdChoices