Pete Freitag Pete Freitag

Is it necessary to cfqueryparam all values?

coldfusion

I had a question today asking why Fixinator does not add cfqueryparam to static values within a query. For example if you have this code:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( #a#, 'b' )
<cfquery>

When you run Fixinator's autofix on the above, it would give you:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( <cfqueryparam value="#a#">, 'b' )
<cfquery>

The above fixes the security issue in the code, and leaves the static value 'b' alone. It would be perfectly valid to write the code like this:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( <cfqueryparam value="#a#">, <cfqueryparam value="b"> )
<cfquery>

However it isn't necessary from a security perspective, and if I had to guess I would imagine it would add a slight amount of unnecessary overhead (decreased performance).


Like this? Follow me ↯

Is it necessary to cfqueryparam all values? was first published on November 13, 2019.

If you like reading about cfquery, or cfqueryparam then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Post a Comment