Pete FreitagIs it necessary to cfqueryparam all values?
By Pete Freitag
I had a question today asking why Fixinator does not add cfqueryparam to static values within a query. For example if you have this code:
<cfquery> INSERT INTO tbl (a, b) VALUES ( #a#, 'b' ) <cfquery>
When you run Fixinator's autofix on the above, it would give you:
<cfquery> INSERT INTO tbl (a, b) VALUES ( <cfqueryparam value="#a#">, 'b' ) <cfquery>
The above fixes the security issue in the code, and leaves the static value 'b' alone. It would be perfectly valid to write the code like this:
<cfquery> INSERT INTO tbl (a, b) VALUES ( <cfqueryparam value="#a#">, <cfqueryparam value="b"> ) <cfquery>
However it isn't necessary from a security perspective, and if I had to guess I would imagine it would add a slight amount of unnecessary overhead (decreased performance).
Is it necessary to cfqueryparam all values? was first published on November 13, 2019.
If you like reading about cfquery, or cfqueryparam then you might also like:
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.
Try Fixinator