Is it necessary to cfqueryparam all values?
I had a question today asking why Fixinator does not add
cfqueryparam to static values within a query. For example if you have this code:
<cfquery> INSERT INTO tbl (a, b) VALUES ( #a#, 'b' ) <cfquery>
When you run Fixinator's autofix on the above, it would give you:
<cfquery> INSERT INTO tbl (a, b) VALUES ( <cfqueryparam value="#a#">, 'b' ) <cfquery>
The above fixes the security issue in the code, and leaves the static value
'b' alone. It would be perfectly valid to write the code like this:
<cfquery> INSERT INTO tbl (a, b) VALUES ( <cfqueryparam value="#a#">, <cfqueryparam value="b"> ) <cfquery>
However it isn't necessary from a security perspective, and if I had to guess I would imagine it would add a slight amount of unnecessary overhead (decreased performance).
Like this? Follow me ↯Tweet Follow @pfreitag
Is it necessary to cfqueryparam all values? was first published on November 13, 2019.
If you like reading about cfquery, or cfqueryparam then you might also like:
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.