Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

cfqueryparam debug=no, prevent showing sensitive parameters in debugging output

Description

add a debug=no option for the various ways that query parameters can be assigned

that way sensitive data can be prevented from being exposed in debugging query output,

i.e for passwords, tokens etc

Attachments

1
  • 08 Jul 2019, 11:17 am

Activity

Show:

Zac Spitzer 17 September 2020 at 17:02

This would also be really useful to exclude large inserts from being cached in the debug logs and memory

Pothys - MitrahSoft 12 July 2019 at 07:00

I think, No need to add that option to show/hide the param values. Because param is mainly used to secure the data. ACF also work in that way. Here is the reference from adobe that describes more about queryparam.
https://helpx.adobe.com/coldfusion/developing-applications/accessing-and-using-data/accessing-and-retrieving-data/enhancing-security-with-cfqueryparam.html.

Zac Spitzer 8 July 2019 at 12:12

IMHO that sucks, because now you can’t just grab the query from the debug output and run it in a sql profiler which is really useful, especially when doing performance tuning

I think the proposed debug attribute is a far more developer friendly flexible approach.

Could an option be added to the template config to hide all parameter values from queries?

 

 

Pothys - MitrahSoft 8 July 2019 at 11:29

Hi ,

After get merged for the fix on LDEV-2344, We can't see any param values. This is the sample output from the modern debugging template,

I think we don't need to add a new attribute "debug" for queryParam.

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Priority

Created 6 July 2019 at 18:20
Updated 15 July 2022 at 14:15

Flag notifications