coldfusioncfwheels

CFWheels ORM and SQL Injection


I am new to Coldfusion and my previous background is in PHP using codeIgniter. I am currently using CFWheels for a project.

I have a insert statement

n_building = model("buildings").new();
n_building.name = name;
n_building.save();

And read statement

room = model("rooms").findOne(where="name='#name#' AND b_id='#b_id#'");

Is the above best practice or can it be written better in terms of security.

Question is that will using ORM automatically protect my queries from SQL Injection or any other form of injection or security risk? Do I have to use something else with it, if so how can I modify the above statements?


Solution

  • CfWheels by default uses cfqueryparam for everything unless you use parameter parameterize and set it to false. So you don't have to worry about the Sql injection.

    Read about parameterize parameter in findAll method description .

    Your code can be made better as suggested by John Whish by using dynamic finders.