Is it necessary to cfqueryparam all values?

by Pete Freitag

I had a question today asking why Fixinator does not add cfqueryparam to static values within a query. For example if you have this code:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( #a#, 'b' )
<cfquery>

When you run Fixinator's autofix on the above, it would give you:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( <cfqueryparam value="#a#">, 'b' )
<cfquery>

The above fixes the security issue in the code, and leaves the static value 'b' alone. It would be perfectly valid to write the code like this:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( <cfqueryparam value="#a#">, <cfqueryparam value="b"> )
<cfquery>

However it isn't necessary from a security perspective, and if I had to guess I would imagine it would add a slight amount of unnecessary overhead (decreased performance).

Related Posts

The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.