add function EncodeForSQL

Description

Please keep in mind, this not meant to be used as a safe replacement for using bound (i.e cfqueryparam) parameters.

We are simply exposing an existing underlying feature from the ESAPI library

Activity

Zac Spitzer 
20 August 2021 at 18:03

Michael Born @ Ortus 
19 August 2021 at 13:05

I added a security warning in the encodeForSQL() documentation… if someone could review my PR, I’d appreciate it. slightly smiling face

https://github.com/lucee/lucee-docs/pull/1190

Michael Offner 
23 July 2021 at 08:30

resolved?

Pete Freitag 
2 June 2021 at 20:30

And I see that this ticket is clear on that point, my only comment is that the docs should also reflect that.

Pete Freitag 
2 June 2021 at 20:28

I added a comment on the github commit, but it may be more appropriate to comment here…

The docs for this function are currently:

Encodes the given string for safe output in a query to reduce the risk Cross Site Scripting attacks.

This is to reduce the risk of SQL Injection attacks not Cross Site Scripting.

Further I think you should add that this function is "not recommended" as stated in the Java docs for it.

This method is not recommended. The use of the PreparedStatement interface is the preferred approach.
https://www.javadoc.io/doc/org.owasp.esapi/esapi/latest/org/owasp/esapi/Encoder.html#encodeForSQL-org.owasp.esapi.codecs.Codec-java.lang.String-

So I think you'd want to say something like the use of cfqueryparam or parameters is preferred.



Fixed

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Fix versions

Priority

Created 28 May 2021 at 09:15
Updated 20 August 2021 at 18:03
Resolved 26 July 2021 at 14:22