Snake wrote: > Select * from table > Where x = #form.value# > > And form.value = (delete from table)
<cftry> <cfparam name="form.value" type="numeric"> <cfcatch type="any"><cfthrow ...></cfcatch> </cftry> </cftry> or <cfif not isNumeric(form.value)> <Cfthrow ...> </cfif> <cfqueryparam> is *NEVER* "required" if you're willing to code the other stuff. But if you get in the habit of NOT using cfqueryparam, and you code the other stuff, you have to worry about forgetting to scrub the data at some point, and then you've got a security hole. If you always use cfqueryparam, you simply don't have to worry about it. I pretty much always use it - *AND* I often scrub the data ahead of time. Even if it's a hardcoded value that just needs to be in the where clause, I still use cfqueryparam. cfqueryparam helps with security, and it improves performance. Why would you NOT use cfqueryparam? (There is one valid answer that I'm aware of, that applies to a specific situation) Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250683 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
