Ask a Jedi: If I do my own checking, do I still need cfqueryparam?

Justin asks:

In a CFC file using <cffunction> with <cfargument type="blah"> should any queries inside the function (which is in the cfc) be using <cfqueryparam>? Or is the data already validated by the <cfargument> tag? I want to make sure I'm protecting my users, but don't know if theres a such thing as "overkill" here.

Repeat after me - there is no overkill when it comes to security. Another example would if you do validation on the argument before sending it to the CFC. Does it make sense to validate again in the CFC. Yes. As it stands, cfargument can validate data types, but can’t validate things like “Greater than zero” or “Whole numbers only.”

Also - you are forgetting the cfqueryparam is more than just a security thing. It also speeds up the query execution (for databases that support it).

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Comments