Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Request For Comments on Database Security

Status
Not open for further replies.
ice78991

ice78991

Programmer
Nov 20, 2006
216
I am using the following method to query a database


This code is in a .cfm page
<!--- GET MEMBER DETAILS --->
<CFINVOKE COMPONENT="components/manageAdvertiser"
METHOD="InitDetails"
MemberInfo = #Trim(mid)#
RETURNVARIABLE="Details">
</CFINVOKE>


It accesses a function stored in a .cfc

<cffunction name="InitDetails_admcomp" access="public" returntype="query" output="no">
<cfargument name="MemberInfo" type="string" required="yes">

<cfset var Details = "">

<CFQUERY NAME="Details" DATASOURCE="#APPLICATION.DB#" USERNAME="#APPLICATION.UN#" PASSWORD="#APPLICATION.PW#">
SELECT *
FROM Profile
WHERE MemberID_mpe = #Trim(ARGUMENTS.MemberInfo)#
ORDER BY CreatedDate_mpe
</CFQUERY>

<cfreturn Details>
</cffunction>

Is this secure or should I be implementing cfqueryparam
( which will take a lot of rewriting) I am using SQL Server 2005 so databinding is not an issue
 
Sort by date Sort by votes

As a rule of thumb you should always use cfqueryparam for embedded queries. Not only will the execute quicker, they also offer more security, by ensuring the data is of the correct type.

If you are looking for more security then you have got to make this and all of your other queries stored procedures and then call them via cfstoredproc. this will also execute quicker as the stored procedure will be compiled on the database server, and it also makes sense to have the query there as that is what the db server is for!

Also, on a side note, the query will execute quicker if you specify the fields that you want, and not just put select *. I've had problems in the past where cf has cached a query when I've used select *, then when i add a new field to the table it doesn;t get picked up due to the caching

Hope this helps!

Tony
 
Upvote 0 Downvote
Thanks for your help. As far as the data checking goes, would not my code offer the same degree of security ?

<cfargument name="MemberInfo" type="string" required="yes">

On the point of cfqueryparam executing quicker, I read somewhere that this is only true on Oracle systems because they make use of data binding, whereas SQL Server does not. Maybe someone could verify this?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sirnose1
  • Locked
  • Question
CFIF for CFmail
Replies
0
Views
313
sirnose1
sirnose1
cohan123
  • Locked
  • Question
page layout-&gt;page size, optimal for web
Replies
0
Views
245
cohan123
cohan123
FALCONSEYE
  • Locked
  • Question
Error: no known VMs. (check for corrupt jvm.cfg file) !!! How I Fixed It !!!
Replies
0
Views
356
FALCONSEYE
FALCONSEYE
lollieleaver
  • Locked
  • Question
Dreamweaver CS4 - how can I make an Access database downloadable from my site?
Replies
2
Views
101
lollieleaver
lollieleaver
hifispin2015
  • Locked
  • Question
Creating a slect all button for A Multiple Slect HTML Form Field
Replies
1
Views
104
LyndonOHRC
LyndonOHRC

Part and Inventory Search

Sponsor

Back
Top