Is it necessary to cfqueryparam all values?

November 13, 2019
coldfusion

I had a question today asking why Fixinator does not add cfqueryparam to static values within a query. For example if you have this code:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( #a#, 'b' )
<cfquery>

When you run Fixinator's autofix on the above, it would give you:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( <cfqueryparam value="#a#">, 'b' )
<cfquery>

The above fixes the security issue in the code, and leaves the static value 'b' alone. It would be perfectly valid to write the code like this:

<cfquery>
INSERT INTO tbl (a, b)
VALUES ( <cfqueryparam value="#a#">, <cfqueryparam value="b"> )
<cfquery>

However it isn't necessary from a security perspective, and if I had to guess I would imagine it would add a slight amount of unnecessary overhead (decreased performance).


Like this? Follow me ↯


You might also like:

1 person found this page useful, what do you think?

Post a Comment




  






Foundeo Inc.