| Contents > Developing ColdFusion MX Applications > Accessing and Retrieving Data > Enhancing security with cfqueryparam > About query string parameters |
|
|
|
|
||
When you let a query string pass a parameter, ensure that only the expected information is passed. The following ColdFusion query contains a WHERE clause, which selects only database entries that match the last name specified in the LastName field of a form:
<cfquery name="GetEmployees" datasource="CompanyInfo"> SELECT FirstName, LastName, Salary FROM Employee WHERE LastName='#Form.LastName#' </cfquery>
Someone could call this page with the following malicious URL:
http://myserver/page.cfm?Emp_ID=7%20DELETE%20FROM%20Employee
The result is that ColdFusion tries to execute the following query:
<cfquery name="GetEmployees" datasource="CompanyInfo">SELECT * FROM EmployeeWHERE Emp_ID = 7 DELETE FROM Employee</cfquery>
In addition to an expected integer for the Emp_ID column, this query also passes malicious string code in the form of a SQL statement. If this query successfully executes, it deletes all rows from the Employee table--something you definitely do not want to enable by this method. To prevent such actions, you must evaluate the contents of query string parameters.
|
|
||
| Contents > Developing ColdFusion MX Applications > Accessing and Retrieving Data > Enhancing security with cfqueryparam > About query string parameters |
|
|
ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting
Version 6.1
Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.
Send me an e-mail when comments are added to this page | Comment Report
Current page: http://livedocs.adobe.com/coldfusion/6.1/htmldocs/queryd12.htm