Database issue with URL ID fields - possible for web users to KILL your database tables
If you allow users to display records from your database based off of an ID field that is passed via the URL, you need to ensure that the value is numeric prior to your CFQUERY command if you use embedded SQL.
If you don't and don't have your query's trapped in case of an error, a remote user can effectively delete every record in your table using only their browser.
For example, say you have the following URL:
The browser is not supported.
The URL parameter viewrec is the ID of the record in question that you want to display.
However, if the remote user changes the url so that the number is invalid, say a non-numeric value...
The browser is not supported.
This would cause the SQL command to fail and depending on the debug settings, it could display to the user the SQL command you used including the table name(s).
Thus armed with the knowledge of the table name that contains the records, they can delete ALL data from that table by entering the following URL (assuming the table in question is named "widgets"):
The browser is not supported.
It does work - I tried it after someone warned me that my CF Tips-N-Tricks website is vulnerable to it. (Call it my morbid sense of curiosity and yes, I did back up the table first.) Everything in the table was gone.