cfqueryparam debug=no, prevent showing sensitive parameters in debugging output

Description

add a debug=no option for the various ways that query parameters can be assigned

that way sensitive data can be prevented from being exposed in debugging query output,

i.e for passwords, tokens etc

Activity

Show:
Pothys - MitrahSoft
July 8, 2019, 11:29 AM

Hi ,

After get merged for the fix on LDEV-2344, We can't see any param values. This is the sample output from the modern debugging template,

I think we don't need to add a new attribute "debug" for queryParam.

Zac Spitzer
July 8, 2019, 12:12 PM

IMHO that sucks, because now you can’t just grab the query from the debug output and run it in a sql profiler which is really useful, especially when doing performance tuning

I think the proposed debug attribute is a far more developer friendly flexible approach.

Could an option be added to the template config to hide all parameter values from queries?

 

 

Pothys - MitrahSoft
July 12, 2019, 7:00 AM

I think, No need to add that option to show/hide the param values. Because param is mainly used to secure the data. ACF also work in that way. Here is the reference from adobe that describes more about queryparam.
https://helpx.adobe.com/coldfusion/developing-applications/accessing-and-using-data/accessing-and-retrieving-data/enhancing-security-with-cfqueryparam.html.

Zac Spitzer
September 17, 2020, 5:02 PM

This would also be really useful to exclude large inserts from being cached in the debug logs and memory

Assignee

Unassigned

Reporter

Zac Spitzer

Affects versions

Priority

New
Configure