How to protect your Coldfusion site from a SQL Injection attack?

July 24, 2008 at 2:18 pm · Filed under ColdFusion

This week a lot of the older Coldfusion sites were under SQL Injection attack. Using a simple cfqueryparam tag could have easily protected the sites from the attack.

cfqueryparam verifies the data type of a query parameter and, for DBMSs that support bind variables, enables ColdFusion to use bind variables in the SQL statement. Bind variable usage enhances performance when executing a cfquery statement multiple times. If you specify optional parameters, this tag also performs data validation.

Here are a couple of related posts and various solutions of interest:

  1. Hacker Webzine Recommends Use Of CFQUERYPARAM
  2. Three part series from The Coldfusion Muse blog – Part 1, Part 2, Part 3
  3. Using cfqueryparam with LIKE and IN Clauses
  4. Other techniques to prevent a SQL Injection attack
  5. When not to use cfqueryparam

 Bookmark to delicious Digg this Technorati reddit  

Leave a Comment