hi,
i am using the mysql aes_encrypt function for encrypting data in the database.
i.e. a sample update query that i have:
<cfquery name="updateUser" datasource="#application.datasource#">
UPDATE users
SET
users.name=AES_ENCRYPT('#form.name#', '#application.master_key#'),
users.contact=AES_ENCRYPT('#form.contact#', '#application.master_key#'),
users.town=AES_ENCRYPT('#form.town#', '#application.master_key#'),
users.role=<cfqueryparam value="#form.role#" cfsqltype="cf_sql_integer">
WHERE users.id=<cfqueryparam value="#form.user_id#" cfsqltype="cf_sql_varchar" maxlength="50">
</cfquery>
this works fine and i then successfully retrieve the data using the following:
<cfquery name="getUser" datasource="#application.datasource#">
SELECT users.id, users.role, CAST(AES_DECRYPT(users.name, '#application.master_key#') AS CHAR(50)) name_decrypt,
CAST(AES_DECRYPT(users.contact, '#application.master_key#') AS CHAR(30)) contact_decrypt,
CAST(AES_DECRYPT(users.town, '#application.master_key#') AS CHAR(30)) town_decrypt
FROM users
WHERE users.id=<cfqueryparam value="#url.user_id#" cfsqltype="cf_sql_varchar" maxlength="50">
</cfquery>
my concern is how to sanitise the input in the update query for name, contact and town - as i cant seem to use the cfqueryparam tag here.
any ideas as to the best way to deal with this?