ColdFusion SQL Security

It’s common when working on a web application to interact with a database to read, insert, update, or delete data. In doing so you must take care when using variables in your SQL. The input may be coming from a search form or passed in the URL, but wherever it comes from there is a risk of SQL Injection, Cross Site Scripting or other attacks on your system. ColdFusion provides a few helpful tools for preventing people from executing malicious SQL queries or executing JavaScript injected into your database. One is the cfqueryparam tag. Assuming we set first_name = “Kevin” This would look something like this SELECT u.first_name, u.last_name FROM users u WHERE u.first_name = <cfqueryparam cfsqltype=”CF_SQL_VARCHAR” value=”#first_name#”> This will […]