Title:
Bug 78833:(Watson Migration Closure)[ANEFF] ER for: Injection-proofing cfinsert/cfupdateone suggestion: parametrize="true" attribute, which could internally use cfdbinfo to parametrize the queriesanother suggestion: just make it automat
| View in TrackerStatus/Resolution/Reason: Closed/Withdrawn/
Reporter/Name(from Bugbase): Aaron Neff / Aaron Neff (Aaron Neff)
Created: 07/15/2009
Versions: 9.0
Failure Type: Unspecified
Found In Build/Fixed In Build: 0000 /
Priority/Frequency: Normal / Unknown
Locale/System: English / Platforms All
Vote Count: 2
Problem:
[ANEFF] ER for: Injection-proofing cfinsert/cfupdateone suggestion: parametrize="true" attribute, which could internally use cfdbinfo to parametrize the queriesanother suggestion: just make it automatically safe, w/o requiring additional parameteranother suggestion: add a timespan attribute, like on query caching, then it can also be resetRelated thread: https://prerelease.adobe.com/r/?146908c2f6ba4153bb9a727e6e43c1c1Regardless of implementation, I feel this needs to be done. Even if performance decreases, at least the queries are safe. If developer wants better performance, then cfinsert/cfupdate can be replaced by cfqueryparam.Something needs done ASAP to make cfinsert/cfupdate safer from SQL Injection attacks.(I put "crashes server", b/c if someone uses examples in cfinsert/cfupdate docs - then serious problems can occur)
Method:
Result:
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3039303
External Customer Info:
External Company:
External Customer Name: Aaron Neff
External Customer Email: 3D1D17B03C844EBF992001AC
External Test Config: 07/15/2009
Attachments:
Comments: