SQLi Results: No Errors

Posted At : August 13, 2008 7:00 AM | Posted By : Steve
Related Categories: ColdFusion,Page Controller

It has been interesting to see the results of the recent series of SQL injection attacks. I have been using <cfqueryparam> for all dynamic data for years, so I wasn't worried about the SQL injection. Still, even for sites with <cfqueryparam>, error email messages remain a problem.

Although I have gotten some errors from some sites, none from my newer sites. The reason is that earlier steps I have taken prevent errors from invalid URL variables.

The Page Controllers that I use have their own param() method that works mostly like <cfparam>.

It has three arguments:

name: The name of the variable
type: The variable type
default: The default value

The big difference from this to <cfparam> is that <:cfparam> throws an error if the variable exists but isn't of the appropriate type whereas the param() method of the Page Controller will just go ahead and set the default value.

I would love it if this behavior was available as an option for <cfparam> as well.

Although this is my preferred technique, on some older sites I relied on try/catch:

<cftry>
   <cfparam name="url.id" type="numeric">
   <cfcatch>
      <cflocation url="index.cfm" addtoken="No">
   </cfcatch>
</cftry>

A cleaner approach that I have also used is Val(), which is effective in preventing errors:

<cfif isDefined("URL.id")>
<cfset URL.id = Val(URL.id)>
<cfelse>
<cfset URL.id = 0>
</cfif>

You can read more about Page Controllers or view PageController.cfc. Even if you don't like the concept of a Page Controller, I think the param() method is still useful by itself.

Print |

Digg It! |

Linking Blogs | 4651 Views

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)

There are no comments for this entry.

[Add Comment]

Archives By Subject

Brownfield Development (1) [RSS]
CF_BlogPicks (50) [RSS]
CF_DMQuery (3) [RSS]
CFUG (9) [RSS]
CodeCop (7) [RSS]
ColdFusion (154) [RSS]
ColdFusion Builder (2) [RSS]
com.sebtools (45) [RSS]
CSS (21) [RSS]
DataMgr (83) [RSS]
Frameworks (13) [RSS]
Git (3) [RSS]
HTML (11) [RSS]
JavaScript (9) [RSS]
Layout Components (5) [RSS]
Mailer.cfc (9) [RSS]
Neptune (8) [RSS]
Neptune Programs (4) [RSS]
OO Principles (9) [RSS]
Page Controller (6) [RSS]
Personal (27) [RSS]
Productivity (14) [RSS]
Railo (2) [RSS]
RSS Reader (1) [RSS]
sebtags (19) [RSS]
SpamFilter (7) [RSS]
SQL (16) [RSS]
StarterCart (2) [RSS]
SVG (1) [RSS]
Testing (7) [RSS]
Usability (15) [RSS]
Web Servers (4) [RSS]
Windows (1) [RSS]

Badges

Calendar

Latest from MXNA

Feed temporarily down.

NAVIGATION

Blog Home
Site Home

Recent Entries

No recent entries.

Recent Comments

Pluralizing in ColdFusion
Steve Bryant said: James, Sorry I missed your comment earlier. I haven't compared to other libraries. I didn't even kn... [More]

Pluralizing in ColdFusion
James Moberg said: Have you compared the results with other libraries? I use an inflector CFC and I see that some of t... [More]

Git Branching Strategy for Web Development
Thomas said: Hi Steve, thanks a lot for this post. While considering Git Web Flow for our branching strategy, t... [More]

Getting Around Windows 7 "Destination Path Too Long" Error When Deleting Files
MxP said: The above robocopy command worked like a charm! I had a deeply nested folder structure that I wante... [More]

New Open Source ColdFusion Shopping Cart
Paul said: I gave up on this after all kinds of pathing issues. Couldn't be bothered tracing where to change th... [More]

RSS

Search

Subscribe

Enter your email address to subscribe to this blog.

Tags

cf_blogpicks coldfusion com.sebtools css datamgr frameworks html personal productivity sebtags sql usability

BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.