Solved

CFQUERYPARAM and order by

Posted on 2009-05-18
5
174 Views
Last Modified: 2013-12-24
Concerning protection against injection I'm a little confused when I should protect the ORDER by clause. Does the query below need to be changed to protect the order by part? If so what to?
...

SELECT     container, language, active, lastedit, title, contentID

FROM       contentItems

WHERE     (active= <CFQUERYPARAM Value=1>)

ORDER BY container, language

</cfquery>

Open in new window

0
Comment
Question by:Shawn
  • 3
  • 2
5 Comments
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 24417308
No.  

(Though it is not the only reason to use it) cfqueryparam is used when working with user supplied values (FORM or URL variables).  Since there are no user supplied values in your ORDER BY clause, you do not need to modify it.  

If you were using a user supplied value in the ORDER BY, like for dynamic sorting, you _would_ need to protect it.  BUT ... cfqueryparam is used for "values", not table or column names.  So you would have to find some other way to protect the statement below:

--- this statement is NOT safe
SELECT     container, language, active, lastedit, title, contentID
FROM       contentItems
WHERE     (active= <CFQUERYPARAM Value=1>)
ORDER BY #url.sortByColumnName1#, #url.sortByColumnName2#

0
 
LVL 52

Expert Comment

by:_agx_
ID: 24417320
> (active= <CFQUERYPARAM Value=1>)

    I am assuming that is just psuedo-code.  Otherwise, the value should be quoted and the
    correct  "cfsqltype" included  (integer, bit, etc..)

    WHERE  active =  <CFQUERYPARAM Value="1" cfsqltype="cf_sql_integer">
0
 
LVL 1

Author Comment

by:Shawn
ID: 24417366
thanks for the clarification. It's taken a little while to wrap it all around my head. Moving up from Access to SQL server is great but my head is still spinninig a little :-)

thanks for the pointer. I updated all vulnerable queries with a tool that didn't specify type. The type is boolean so I suppose this should be it.
WHERE     (active= <CFQUERYPARAM cfsqltype="cf_sql_bit" Value="1">)
0
 
LVL 52

Expert Comment

by:_agx_
ID: 24417622
> Moving up from Access to SQL server is great but my head is still spinninig a little :-)

Yes, but you will love it as soon as you get your bearings ;-)
0
 
LVL 1

Author Comment

by:Shawn
ID: 24417632
I'm already starting to...so many possibilities.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
OpenLDAP set password to expire 7 440
Reverse Proxy Server 6 69
Problem to go to page 12 66
.dwt files not viewable in browser - why? 2 50
Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now