House of Fusion
 » 
Cold Fusion - SQL

 « Return to Thread: SQL Injection

SQL Injection

by Rich-87 :: Rate this Message:

Reply to Author | View in Thread

Hi.  I'm using cfqueryparam with any dynamic cfquery tag.  However, in  
one case, I'm storing the "WHERE" conditions in a user account so that  
the user can call up the last search he did.  So I  construct the  
string (e.g. parameter1='A' AND parameter2='B'...) and when I store  
that finished string, I use cfqueryparam.  However, what if code for  
an SQL injection is entered there.  Although it will not be executed  
when it is stored, it could be executed when it is called up later:

<cfquery...
SELECT * FROM Table1
WHERE #storedString#
</cfquery>

The only thing I can think of is dynamically building the string in  
the WHERE clause and inserting the appropriate cfqueryparam tag for  
each parameter.  Seems pretty cumbersome.  Are there any other  
solutions?

Thanks,

Rich

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: http://www.houseoffusion.com/groups/SQL/message.cfm/messageid:3110
Subscription: http://www.houseoffusion.com/groups/SQL/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=17837.14401.6

 « Return to Thread: SQL Injection

Free embeddable forum powered by Nabble Forum Help