By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
444,120 Members | 1,786 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 444,120 IT Pros & Developers. It's quick & easy.

Validate form input to protect against SQL Attack

P: 3
Hi there I am trying to get my action page of the website I'm building to check to see if the form input values are empty, if they are not it will then check to see if any of the form inputs contain any SQL. I have read in some other places that you can use cfparam or cfqueryparam to stop this but I don't really know how to use them.

This is the code:

Expand|Select|Wrap|Line Numbers
  1. <cfif len(form.username) EQ 0 OR len(form.password) EQ 0>
  2.             <p>You did not enter a username or password</p>
  3.             <p><a href="index.cfm">Please go back and try again</a></p>
  4.           <cfelse>
  5.             <cfquery name = "login" datasource="blah">
  6.             SELECT login, password
  7.             FROM member
  8.             WHERE login = '#form.username#' AND password = '#form.password#'
  9.             </cfquery>
  10.  
  11.             <cfif login.RecordCount GT 0>
  12.  
  13.               <cfif '#form.username#' EQ #login.login# AND '#form.password#' EQ #login.password#>
  14.                   <p> Your name is right...</p>
  15.                   <cfset session.memberLogin = #form.username#>
  16.               <cfelse>
  17.                   <p>Sorry incorrect username or password, please try again</p>
  18.                   <cflocation url="index.cfm">
  19.               </cfif>
  20.  
  21.               <cfoutput>
  22.                   <cfif session.name IS "admin">
  23.                       <cflocation url="index.cfm">
  24.                   <cfelse>
  25.                       <cflocation url="profile.cfm?un=#session.name#">
  26.                   </cfif>
  27.               </cfoutput>    
  28.  
  29.             <cfelse>
  30.               <p>Sorry you entered an incorrect username/password</p>
  31.               <p><a href="index.cfm">Try again here!</a></p>
  32.             </cfif>
  33.  
  34.         </cfif>
  35.  
Any help would be awesome, thanks.
Mar 26 '09 #1

✓ answered by jKara

@sc0705837
It is cfqueryparam. It does not check to see if the inputs contain SQL, but rather _helps_ prevent malicious sql from being executed in the query by enforcing data type rules.

Using cfqueryparam is very simple. The most basic form requires only: "value" and "cfsqltype". The cfsqltype is a string value that represents the data type of your table column. The correct values to use are determined by database type, but some examples are: cf_sql_varchar, cf_sql_integer, etc...

You can find more information about cfqueryparam it in the online documentation
http://livedocs.adobe.com/coldfusion...gs_p-q_18.html

Expand|Select|Wrap|Line Numbers
  1. ...
  2. FROM member
  3. WHERE 
  4. login = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar"> AND password = <cfqueryparam value="#form.password#" cfsqltype="cf_sql_varchar"> 
  5.  
  6.  

Share this Question
Share on Google+
2 Replies


P: 5
@sc0705837
It is cfqueryparam. It does not check to see if the inputs contain SQL, but rather _helps_ prevent malicious sql from being executed in the query by enforcing data type rules.

Using cfqueryparam is very simple. The most basic form requires only: "value" and "cfsqltype". The cfsqltype is a string value that represents the data type of your table column. The correct values to use are determined by database type, but some examples are: cf_sql_varchar, cf_sql_integer, etc...

You can find more information about cfqueryparam it in the online documentation
http://livedocs.adobe.com/coldfusion...gs_p-q_18.html

Expand|Select|Wrap|Line Numbers
  1. ...
  2. FROM member
  3. WHERE 
  4. login = <cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar"> AND password = <cfqueryparam value="#form.password#" cfsqltype="cf_sql_varchar"> 
  5.  
  6.  
Mar 27 '09 #2

P: 3
Right, thanks alot for the help, will just go set this up. Its only a student project so this minimal amount of protection should be good enough.

Thanks again!
Mar 31 '09 #3

Post your reply

Sign in to post your reply or Sign up for a free account.