2

I am new to Coldfusion and my previous background is in PHP using codeIgniter. I am currently using CFWheels for a project.

I have a insert statement

n_building = model("buildings").new();
n_building.name = name;
n_building.save();

And read statement

room = model("rooms").findOne(where="name='#name#' AND b_id='#b_id#'");

Is the above best practice or can it be written better in terms of security.

Question is that will using ORM automatically protect my queries from SQL Injection or any other form of injection or security risk? Do I have to use something else with it, if so how can I modify the above statements?

Saad A
  • 1,135
  • 2
  • 21
  • 46

2 Answers2

1

As far as I know cfwheels ORM will parametrize the queries built by the ORM. It will insert <cfqueryparam> in the Statement. But you could enable debugging and easily have a look at the query sent to the database.

Thorsten
  • 223
  • 3
  • 13
1

CfWheels by default uses cfqueryparam for everything unless you use parameter parameterize and set it to false. So you don't have to worry about the Sql injection.

Read about parameterize parameter in findAll method description .

Your code can be made better as suggested by John Whish by using dynamic finders.

Tushar Bhaware
  • 2,525
  • 1
  • 16
  • 29
  • clean answer! I have one question though: what does CFWheels does, if we also have in place a `Having` clause in the `group` attribute of the model statement? Will it parameterize the having clause as well? For example: room = model("rooms").findAll(select="count(id)",where="name='#name#' AND b_id='#b_id#'", group="room_type Having count(id) > 0"); This is just a simple example but you get the idea. – Anurag Oct 14 '15 at 06:55