CFSWITCH 用于排序列时能否防止 SQL 注入?
我使用以下技术来确保来自客户端的任何排序列参数都经过 ListFindNoCase() 函数:
<cfif ListFindNoCase("date,score", params.order) EQ 0>
<cfset params.order = "date">
</cfif>
这样,任何排序列请求在发送到服务器之前都会根据列表值进行审查。然后,我将以下代码添加到我的函数中:
<cfswitch expression="#params.order#">
<cfcase value="date">
<cfset params.order = "date DESC">
</cfcase>
<cfcase value="score">
<cfset params.order = "score ASC">
</cfcase>
<cfdefaultcase>
<cfset params.order = "date DESC">
</cfdefaultcase>
</cfswitch>
由于如果表达式与前两种情况不匹配,默认情况下总是将顺序设置为“date DESC”,这不会导致 ListCaseNoFind() 多余吗?
在删除 ListFindNoCase() 函数之前,我想确保这是真的!
I use the following technique to ensure that any sort column params coming from the client go through a ListFindNoCase() function:
<cfif ListFindNoCase("date,score", params.order) EQ 0>
<cfset params.order = "date">
</cfif>
This way, any sort column request gets vetted against the list values before being sent to the server. I then added the following code to my function:
<cfswitch expression="#params.order#">
<cfcase value="date">
<cfset params.order = "date DESC">
</cfcase>
<cfcase value="score">
<cfset params.order = "score ASC">
</cfcase>
<cfdefaultcase>
<cfset params.order = "date DESC">
</cfdefaultcase>
</cfswitch>
Since default case will always set order to "date DESC" if the expression does not match the first two cases, doesn't that render ListCaseNoFind() redundant?
I wanted to make sure that this is true before I removed the ListFindNoCase() function!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
当然,那是安全的。您对 order by 进行了硬编码,因此不可能注入无关的 SQL。
Sure, that is safe. You're hardcoding the order by, so there is no chance that extraneous SQL can be injected.