将 ms 访问迁移到 mysql -- 更改 CF 编码(来自新手)
我正在将 Coldfusion9 查询代码从 ms access 2003 迁移到 mySql。我的MySql知识有限,所以这是一个初学者的问题:)
在我的MS Access代码中,我使用了简单的cfqueries...这是一个例子:
<cfquery name="catalog" datasource="mydatasource">
SELECT TableID, DateListed, FirstColor, SecondColor
FROM mytable
WHERE FirstColor='blue' OR SecondColor='blue'
ORDER BY DateListed DESC
</cfquery>
我从在线阅读中了解到,需要将cfqueryparam与mySql一起使用来防止注入恶意代码。我不确定恶意代码是如何注入的......由于在线网站用户不通过表单与我的数据库交互,我是否仍然需要使用 cfqueryparam?
如果是这样,您能给我一个将 cfqueryparam 添加到上述代码的方法示例吗? -或者- 建议一个好的、简单的如何编写 mySql 代码的资源(在我的在线搜索中,大多数编码信息都预设了比我更高水平的知识)
I am migrating my coldfusion9 query code from ms access 2003 to mySql. My MySql knowledge is limited, so this is a beginner's question :)
In my MS Access code, I used simple cfqueries... here's an example:
<cfquery name="catalog" datasource="mydatasource">
SELECT TableID, DateListed, FirstColor, SecondColor
FROM mytable
WHERE FirstColor='blue' OR SecondColor='blue'
ORDER BY DateListed DESC
</cfquery>
I understand from online reading that one needs to use cfqueryparam with mySql to protect from injected malicious code. I'm not sure how the malicious code is injected .... as online website users don't interact with my database via forms, will I still need to use cfqueryparam?
If so, could you give me an example of an way to add cfqueryparam to the above code? -or- suggest a good, simple how-to resource for writing mySql code (in my searches online most of the coding info presupposes a higher level of knowledge than I have)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
除了防止 SQL 注入之外,CFQUERYPARAM 还允许您使用绑定变量,这可以提高性能,因为除了某些变量之外相同的查询只需要编译一次并且可以缓存。
从您的示例来看,这就是您使用 cfqueryparam 的方式:
但是,这并没有给您带来太多好处。回报是在这样的情况下:
现在,无论颜色是蓝色、红色还是黄绿色,该查询都会在数据库中编译,并且在后续调用中速度会更快。此外,恶意用户可以将
form.color更改为blue';drop table users;值,这样您就可以免受 SQL 注入的侵害。In addition to protecting from SQL injection, CFQUERYPARAM lets you use bind variables, which can give you performance gains because queries that are the same except for some variables only need to be compiled once and can be cached.
From your sample, this is how you'd used cfqueryparam:
That doesn't buy you much, however. The payoff is in situations like this:
Now whether the color is blue or red or chartreuse this query is compiled in the database and will be faster on subsequent calls. Further, a malicious user could change
form.colorto have the value ofblue';drop table users;and you'll be protected from the SQL injection.使用 cfqueryparam 至少有三个充分理由:
1) 安全,防止注入或用户的其他不良意图。
2) 查询执行得更快,因为您明确声明了查询的类型。
3)这只是一个好主意,再加上与其他语言功能类似,例如
我们在 DAO 对象中使用了这样的示例(这些是其中包含与数据库对话的代码的 cfc)
其中 #arguments.varname#被传递到包含 SQL 的方法中。
There are at least three good reasons to use cfqueryparam
1) Security from injection or other bad intent from users.
2) Queries execute faster because you explicitly state their type.
3) Its just a good idea, plus similar to other language features, like
We used examples like this all over of DAO objects (these are the cfcs that have the code in them that speak to the database)
Where the #arguments.varname# was passed into the method containing the SQL.