Home > MSSQL, coldfusion > cfqueryparam and cachedwithin

cfqueryparam and cachedwithin

August 29, 2008 ppshein Leave a comment Go to comments

To prevent SQL Injection in Coldfusion, we should use <cfqueryparam> tag between <cfquery> tag. It’s good tag and it output the variable which MS.SQL like. But to get good performance of our website, we should use cachedwidthin attribute of cfquery tag.  If we use <cfqueryparam> tag in <cfquery>, error occur for sure and <cfquery> doesn’t allow <cfqueryparam> tag. So, how to prevent for SQL injection and how to get good performance for your site without using <cfqueryparam>. The answer is quite simple: we need put following coding at the top of your page.

<CFIF IsDefined(“id”) AND NOT IsNumeric(id)>
<cfabort showerror=”Invalid Query String”>
</CFIF>

And, also add following coding in <cfquery> tag,

WHERE ID = #Val(id)#

How? It’s easy though, isn’t it?

Categories: MSSQL, coldfusion Tags: , , , ,
  1. dacameron
    October 14, 2009 at 8:56 am | #1
    | Quote

    Good post. It might be good to update it to mention that since CF8 there is no longer the clash between CFQUERYPARAM tags and the cachedwithin attribute of CFQUERY.


    Adam

  1. No trackbacks yet.
You must be logged in to post a comment.