我的任务是检查一些最近遭受相当严重的 SQL 注入攻击的 ColdFusion 站点。 基本上我的工作涉及添加 > 标记到所有内联 sql。 大多数情况下我已经把它记下来了,但是有人能告诉我如何将 cfqueryparam 与 LIKE 运算符一起使用吗?
如果我的查询如下所示:
select * from Foo where name like '%Bob%'
我的 > 应该是什么? 标签是什么样的?
I have been tasked with going through a number of ColdFusion sites that have recently been the subject of a rather nasty SQL Injection attack. Basically my work involves adding <cfqueryparam
> tags to all of the inline sql. For the most part I've got it down, but can anybody tell me how to use cfqueryparam with the LIKE operator?
If my query looks like this:
select * from Foo where name like '%Bob%'
what should my <cfqueryparam
> tag look like?
发布评论
评论(2)
@Joel,我必须不同意。
永远不要向某人建议他们应该“选择明星”。 形式不好! 甚至举个例子! (甚至是从问题中复制的!)
查询是预编译的,您应该包含通配符作为传递给查询的参数的一部分。 此格式更具可读性并且运行效率更高。
进行字符串连接时,请使用与运算符 (&),而不是加号。 从技术上讲,在大多数情况下, plus 都可以正常工作......直到您在字符串中间抛出 NumberFormat() 并开始想知道为什么在检查时被告知您没有传递有效数字
@Joel, I have to disagree.
Never suggest to someone that they should "select star." Bad form! Even for an example! (Even copied from the question!)
The query is pre-compiled and you should include the wild card character(s) as part of the parameter being passed to the query. This format is more readable and will run more efficiently.
When doing string concatenation, use the ampersand operator (&), not the plus sign. Technically, in most cases, plus will work just fine... until you throw a NumberFormat() in the middle of the string and start wondering why you're being told that you're not passing a valid number when you've checked and you are.