> The results seen in the previous thread bring up a question: why use > cfqueryparam at all on form inputs that are not used in a > WHERE clause, > especially when a good input scrubber is already in use? > > I can already see one answer: cfsqltype=cf_sql_numeric will throw an > error if a sql injection is attempted. So use cfqueryparam on those. > But what about cfsqltype=cf_sql_varchar? I can see a clear > need for it > in a WHERE clause, but with inputs? When a scrubber is > already in use? > What does it do in that specific case? > > --Matt Robertson--
Finer control. Faster performance. I like to do stuff like this for my columns that allow NULLs: UPDATE tblStuff SET Name = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#Form.Name#" Null="#YesNoFormat(Len(Trim(Form.Name)) EQ 0)#"> WHERE StuffID = <cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#Form.StuffID#"> ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
