Does anyone know another way of sanitizing SQL without cfque cfml #cfml-general

Does anyone know another way of sanitizing SQL wit...

Andreas

10/01/2022, 4:08 PM

Does anyone know another way of sanitizing SQL without cfqueryparam in cfml? It's for use in the SELECT zone, and not within the WHERE conditions.

Tim

10/01/2022, 7:00 PM

cfqueryparam works in the select zone too, generally... It's using it for table names in FROM and JOIN where it breaks down. And for that, I generally either use a whitelist of tables names to compare against, or query INFORMATION_SCHEMA.TABLES

Andreas

10/01/2022, 9:22 PM

That was exactly what I needed @Tim. Thank you so much!!!

Andreas

10/01/2022, 9:27 PM

I already do whitelisting tables and DBs strings, usually a switch case or an arrayContains(). Thanks for pointing that out.

Adam Cameron

10/02/2022, 8:15 PM

Bear in mind that query parameters are not for "sanitising" SQL. They are for passing dynamic data values to the DB along with the SQL statement. Same as with anywhere in the SQL statement, the query parameter value is a data value and not just part of the SQL string you pass to the DB. This is likely to be relevant because you can't do this:

Copy code

SELECT <cfqueryparam value="#someDynamicColumnReference#">

In the hope that you'll end up with:

Copy code

SELECT some_column_name

(which I suspect is what yer trying to do). What you will end up with is:

Copy code

SELECT 'some_column_name'

IE: a string literal, not a reference to a column.

Adam Cameron

10/02/2022, 8:17 PM

(possibly relevant reading: https://blog.adamcameron.me/2012/07/what-one-can-and-cannot-do-with.html)

Nate Smith

10/06/2022, 10:20 PM

Not sure if it fits exactly but using views can limit exposure

Open in Slack

Previous Next