January 26, 2023
cfqueryparam sql injection
Comments
(7)
January 26, 2023
cfqueryparam sql injection
Newbie 1 posts
Followers: 1 people
(7)

I’ve searched the docs but cannot seem to find an answer to “Does using the cfqueryparam prevent SQL Injection”?  Found some info while googling but would like a definitive answer from this community.

Thanks!

7 Comments
2024-02-13 15:49:46
2024-02-13 15:49:46

I was looking for this too but only found this forum. did you find SQL injection here?

Like
(1)
>
Yani34519766gake
's comment
2024-02-13 15:50:51
2024-02-13 15:50:51
>
Yani34519766gake
's comment

I was looking for this too but only found this forum, did you find SQL injection here?

Like
2023-10-28 06:50:40
2023-10-28 06:50:40

very useful.

Like
2023-02-01 21:52:01
2023-02-01 21:52:01

Super helpful, Thanks!

Like
2023-01-31 09:18:22
2023-01-31 09:18:22

It also uses bind parameters rather than raw text when the statement is executed, which further protects above and beyond enforcing types, as cfsqltype is optional.

Like
(1)
(1)
>
tomc88740733
's comment
2023-08-28 06:07:42
2023-08-28 06:07:42
>
tomc88740733
's comment

yes.

Like
2023-01-30 17:21:35
2023-01-30 17:21:35

CFQUERYPARAM will validate your data type, thus keeping out any SQL injection because those are most often utilizing punctuation and such to ‘hijack’ variables and change your statements.  Those punctuation marks will not validate as strings, integers, dates, etc and the CFQUERYPARAM will throw an error, rather than let the nefarious data get to your DB.

Pete Freitag at Foundeo is pretty much the ColdFusion security expert.  He explains how to protect from SQL injection, including the use of CFQUERYPARAM in this post.

Additional info for protecting against SQL injection can be found in the Learn CF in a Week series.

I would also suggest checking out the CF Lockdown guide from Adobe.

Like
(1)
Add Comment