Jul 22 2008
ColdFusion, Security, SQL, Technology
This April, Peter Boughton put a little tool on RiaForge called QueryParam Scanner. It does what it says and that means you have no excuse not to batten down the hatches on that old code you've got swept under the rug. It also meant I didn't have any excuses either, so I gave it a run tonight.Whether you wrote it or not, everyone probably has some old code laying around that doesn't use cfqueryparam to protect its cfqueries. I had some ancient stuff. Like, CF 4.5 days. I'm talking pound signs in my cfif statements! In light of the sweeping SQL injection attacks making their rounds recently I think it is very appropriate to bring this to attention. The cfqueryparam tag in ColdFusion has several purposes.
- Built-in data type checking
- Separates SQL code from parameters
- This encourages your DBMS to cached a reusable execution plan which can improve performance
- It guarantees that parameter values will NEVER spill over into the SQL to be accidentally executed.
- That means your cfquery is immune to pretty much most SQL injection attacks.