security

ok i got a thing ive been thinking about for a while now. can someone show me how a hacker can exploit the following cfquery and hack the site using it. and can you also show me how to prevent that.

<cfquery datasource="#datasourcename#" name"queryname" blockfactor="100" username="#dbusername#" password="#dbpassword#">
SELECT this, that, them
FROM that_table
WHERE ID = #ID#
</cfquery>


someone please help.
THX!

The specific exploits depend on the database, but SQL injection attacks rely on appending extra statements to the end of the variable. If you do nothing about this, the extra statements can execute, allowing people to drop tables, delete rows, or anything else the DSN username has rights to do.

If ID is numeric, you can just do:

WHERE ID = #val(ID)#

Or you can use <cfqueryparam> in the where clause.

yeah i just got worried cuz i heard that some cold fusion vriables got leaked (dont know the technical term) and it let hackers exploit it more easily...

anyway so tell me if this would do the trick:


<cfquery datasource="#datasourcename#" name"queryname" blockfactor="100" username="#dbusername#" password="#dbpassword#">
SELECT this, that, them
FROM that_table
WHERE ID = <cfqueryPARAM value = "#ID#"
CFSQLType = "CF_SQL_NUMERIC"
dbName = "db1"
null = "No"
list = "No">
</cfquery>

Looks about right but I think the last 3 attributes of cfqueryparam are optional so you may not need to bother adding them unless you just want to be thorough.

is there anything else i can do to improve the security of my site???