Does stored procedure require cfSqlType?

Question

Does stored procedure require cfSqlType?

To protect against sql injection, I read in the introduction to ColdFusion that we should use the cfqueryparam tag.

But when using stored procedures, I pass my variables to the corresponding variable declarations in SQL Server:

DROP PROC Usr.[Save] 
GO 
CREATE PROC Usr.[Save] 
(@UsrID Int 
,@UsrName varchar(max) 
) AS 
UPDATE Usr  
SET UsrName = @UsrName 
WHERE UsrID=@UsrID  
exec Usr.[get] @UsrID

Q: Is there any value in enabling cfSqlType when calling a stored procedure? Here's how I do it now in Lucee:

storedproc procedure='Usr.[Save]' {
    procparam value=Val(form.UsrID);
    procparam value=form.UsrName;
    procresult name='Usr';
}

+3

coldfusion sql-injection lucee

Phillip senn Apr 3 '15 at 14:32

source share

1 answer

Leigh · Accepted Answer · 2015-04-03T17:16:05+0000

This question indirectly touched another thread. This thread has been devoted to query parameters, but the same problems apply to procedures. To summarize, yes, you should always enter query and proc parameters. To paraphrase another answer:

cfsqltype , :
Validation: ColdFusion cfsqltype (, ..) "". , sql - . , "" , "ABC" cf_sql_integer, sql, . cfsqltype, , .
: , CF . cfsqltype , - - , .
, cfsqltype. , CF . , ( ). - , .
, , . , "05/04/2014"? 5 4 ? . , .
- cfsqltype. column/function (, , ).

Does stored procedure require cfSqlType?

More articles: