> Not everyone has cfqueryparam available we are on CF4 for a > few more months so we're SOL. > > But you could therotically still do something like > > select * > from blah > where userdata; select * from blah > > which would be interprated as a 2nd query. CFQUERY param > might fix that it might come down to the old "better safe > then sorry"
No, in my experience, CFQUERYPARAM would prevent that second SQL statement from being executed, assuming that the variable you were using contained "userdata; select * from blah". When you use CFQUERYPARAM, CF builds a prepared statement, which separates the SQL from the variables, and any SQL code contained within the variables won't be treated as SQL, but rather as literal data. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
