是否可能有cfqueryparams发送到MySQL作为准备语句参数? [英] Is it possible to have cfqueryparams sent to MySQL as prepared statement parameters?
问题描述
当使用< cfquery>
和< cfqueryparam>
(或 queryExecute
),ColdFusion(或者JDBC)会在将其发送到MySQL服务器之前对原始SQL查询应用自己的字符串替换。
When using <cfquery>
and <cfqueryparam>
(or queryExecute
), ColdFusion (or perhaps the JDBC) will apply its own string replacement against the original SQL query before sending it to the MySQL server.
如果ColdFusion服务器转义实现有缺陷,那么它不如预准备的语句有效,并且具有更大的SQL注入潜力。
This is not as efficient as a prepared statement and has a greater potential for SQL injection if the ColdFusion servers escaping implementation is flawed.
ColdFusion调试和跟踪将使它看起来像
Coldfusion debugging and tracing will make it appear as though the query was processed as a prepared statement but MySQL reveals otherwise.
这可以通过记录sql查询来证明:
set global general_log = 1;
This can be proven by logging sql queries:
set global general_log=1;
观察日志,
tail -f / var / lib / mysql / $(uname -n).log
日志应该在查询中显示PREPARE语句和问号,
The log should show PREPARE statements and question marks in the queries, but instead the log shows the full query with variables substituted into the question marks.
有可能强制ColdFusion使用适当的 PREPARE
语句,而不是对于MySQL数据库使用< cfquery>
和< cfqueryparam>
如果它归结到JDBC连接字符串,为了使用预编译语句,必须从默认设置更改。
Is it possible to force ColdFusion to use proper PREPARE
statements instead of string replacement when <cfquery>
and <cfqueryparam>
are used against a MySQL database? If it boils down to the JDBC connection string, what must be changed from the default settings in order to use prepared statements.
我认为答案可能存在于某处:
I think the answer may exist in here somewhere:
- https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
- https://helpx.adobe.com/coldfusion/configuring-administering/data-source-management-for-coldfusion.html#DataSourceManagementforColdFusion-ConnectingtoMySQL
- 使用cfqueryparam创建预准备语句的条件?
- https:/ /dev.mysql.com/doc/connector-j/5.1/en/connector-j-useconfigs.html
- https://dev.mysql.com/doc/connector-odbc/en/connector- odbc-configuration-connection-parameters.html
- https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
- https://helpx.adobe.com/coldfusion/configuring-administering/data-source-management-for-coldfusion.html#DataSourceManagementforColdFusion-ConnectingtoMySQL
- condition for creating a prepared statement using cfqueryparam?
- https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-useconfigs.html
- https://dev.mysql.com/doc/connector-odbc/en/connector-odbc-configuration-connection-parameters.html
推荐答案
The default behavior of the JDBC driver is to set useServerPrepStmts=false
according to https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
添加 useServerPrepStmts = true
到JDBC 连接字符串$ c $在
数据和数据库中的CFIDE(
。 /cfide/administrator/enter.cfm
服务> Datasources
Add useServerPrepStmts=true
to the JDBC Connection String
parameters in the CFIDE (/cfide/administrator/enter.cfm
) under Data & Services > Datasources
.
这篇关于是否可能有cfqueryparams发送到MySQL作为准备语句参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!