I’ve searched the docs but cannot seem to find an answer to “Does using the cfqueryparam prevent SQL Injection”? Found some info while googling but would like a definitive answer from this community.
Thanks!
I was looking for this too but only found this forum. did you find SQL injection here?
I was looking for this too but only found this forum, did you find SQL injection here?
CFQUERYPARAM will validate your data type, thus keeping out any SQL injection because those are most often utilizing punctuation and such to ‘hijack’ variables and change your statements. Those punctuation marks will not validate as strings, integers, dates, etc and the CFQUERYPARAM will throw an error, rather than let the nefarious data get to your DB.
Pete Freitag at Foundeo is pretty much the ColdFusion security expert. He explains how to protect from SQL injection, including the use of CFQUERYPARAM in this post.
Additional info for protecting against SQL injection can be found in the Learn CF in a Week series.
I would also suggest checking out the CF Lockdown guide from Adobe.
You must be logged in to post a comment.