cfqueryparam and cachedwithin
To prevent SQL Injection in Coldfusion, we should use <cfqueryparam> tag between <cfquery> tag. It’s good tag and it output the variable which MS.SQL like. But to get good performance of our website, we should use cachedwidthin attribute of cfquery tag. If we use <cfqueryparam> tag in <cfquery>, error occur for sure and <cfquery> doesn’t allow <cfqueryparam> tag. So, how to prevent for SQL injection and how to get good performance for your site without using <cfqueryparam>. The answer is quite simple: we need put following coding at the top of your page.
<CFIF IsDefined(“id”) AND NOT IsNumeric(id)>
<cfabort showerror=”Invalid Query String”>
</CFIF>
And, also add following coding in <cfquery> tag,
WHERE ID = #Val(id)#
How? It’s easy though, isn’t it?
