An Important ColdFusion Tag:

ColdFusion is a server side script language, which is called ColdFusion Markup Language (CFML). The CFML uses the same format tag-base syntax as HyperText Markup Language (HTML). ColdFusion also comes in CFScript, which uses syntax like JavaScript, C++ or JAVA. One of the many tags in the collective of the ColdFusion Language is Cfqueryparam, which is designed to evaluate and authenticate the data type of a query parameter. The concept behind this tag is the binding of ColdFusion variables to Database Management system (DBMS). Variable binding is a very optimal method to enhance multiple query executions. Another important tag in the CFML library is the <cfquery> tag; this tag enables structured Query Language (SQL) statements to be created to retrieved data, manipulate data, and store data in the database. So, the <Cfqueryparam> tag is always nested and embedded inside the <cfquery> tag. The importance of <Cfqueryparam> is not only limited to performance but also to security. One scenario is the appending of malicious SQL statement in Uniform Resource Locator (URL) variables, which are passes as parameter in SQL Query statements, which could modify or erase data from the database.

Example 1:

        <CFQUERY DATASOURCE="MySQLDB" NAME="Example">

SELECT * FROM SomeTable

WHERE someTable_ID = #url.ID#

</CFQUERY>

The url.ID is a variables that contain information, and the fact that is surrounded by pound sign (##) it passes the content of that variables. If a malicious SQL statement append to the url like this: http://example/Test.cfm?ID =1%20DELETE%20FROM%20SomeTable. This statement could ripe out the data from the SomeTable table.

But with a nested <Cfqueryparam> embedded in the SQL statement prevent such vulnerability.

Example 2:
               <CFQUERY DATASOURCE="MySQLDB" NAME="Example">

SELECT * FROM SomeTable

               WHERE someTable_ID = <cfqueryparam value=”#url.ID#”
                                                                                cfsqltype=”BIGINT”
                                   >

</CFQUERY>