开发者

Can CFSWITCH prevent SQL injection when used for a sort column?

问答 作者:

I use the following technique to ensure that any sort column params coming from the client go through a ListFindNoCase() function:

<cfif ListFindNoCase("date,score", params.order) EQ 0>
   <cfset params.order = "date">
</cfif>

This way, any sort column request gets vetted against the list values before being sent to the server. I then added the following code to my function:

<cfswitch expression="#params.order#">
   <cfcase value="date">
      <cfset params.order = "date DESC">
   </cfcase>
   <cfcase value="score">
  开发者_开发问答    <cfset params.order = "score ASC">
   </cfcase>
   <cfdefaultcase>
      <cfset params.order = "date DESC">
   </cfdefaultcase>
</cfswitch>

Since default case will always set order to "date DESC" if the expression does not match the first two cases, doesn't that render ListCaseNoFind() redundant?

I wanted to make sure that this is true before I removed the ListFindNoCase() function!

Sure, that is safe. You're hardcoding the order by, so there is no chance that extraneous SQL can be injected.

继续阅读:coldfusionsql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9