Title:
Bug 72734:(Watson Migration Closure)Since SQL Injections are such a huge issue right now, I was thinking another way CF could help to prevent SQL injections is to provide some functions for limiting the FORM/URL variables to a specific
| View in TrackerStatus/Resolution/Reason: Closed/Deferred/
Reporter/Name(from Bugbase): Dan Switzer / Dan G. Switzer, II (Dan Switzer)
Created: 08/19/2008
Components: General Server
Versions: 9.0
Failure Type: Unspecified
Found In Build/Fixed In Build: 0000 /
Priority/Frequency: Normal / Unknown
Locale/System: English / Platforms All
Vote Count: 0
Problem:
Since SQL Injections are such a huge issue right now, I was thinking another way CF could help to prevent SQL injections is to provide some functions for limiting the FORM/URL variables to a specific list of values.
I'd just adding the following functions:
listGetValue(list, value, default, delimiter)
listGetValueNoCase(list, value, default, delimiter)
arrayGetValue(array, value, default)
arrayGetValueNoCase(array, value, default)
You could use the functions like this:
select
*
from
table
order by
#listGetValueNoCase("name,email,phone", url.sort, "name")#
What this would do is look for the value of #url.sort# in the list of "name,email,phone". If the value is found then the value would be returned, otherwise the default value ("name") would be returned.
Right now you can do this with a combination of if/else statements with the listFind functions, but this would reduce the number of steps and help to enforce input to specific values.
The functions would essentially do:
if( listFindNoCase(list, value, delimiter) ) return value;
else return default;
Method:
Result:
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3035862
External Customer Info:
External Company:
External Customer Name: Dan G. Switzer, II
External Customer Email: 40F50E07427F7E67992016B7
External Test Config: 08/19/2008Attachments:
Comments: