How do I protect my ColdFusion code from a SQL Injection?
The following article explains how to protect your ColdFusion code from a SQL Injection. The recent injection attacks that have been seen against Coldfusion coded sites takes advantage of vulnerabilities in improperly coded sites. These attacks can be mitigated by using cfqueryparam within your cfquery statements. This function will force your input to be of a certain type, eliminating the possibility of a malicious user from entering SQL statements.
To protect your CF code, use this function whenever you process dynamic data from a form or URL.
<cfqueryparam value="#URL.data" cfsqltype="cf_sql_integer">
The above example will take data from a URL and verify the data is an integer. If it is not, it will display an error message.
More details about cfqueryparam can be found here.