Let alone the security aspect, it also improves performance by causing your database server to bind the variables before executing the query.
Straight from Macromedia: http://tinyurl.com/oo49m (link to docs) - Allows the use of SQL bind parameters, which improves performance. - Ensures that variable data matches the specified SQL type. - Allows long text fields to be updated from a SQL statement. - Escapes string variables in single-quotation marks. Example: <cfquery name = "getEmployees" dataSource = "cfdocexamples"> SELECT * FROM employees WHERE LastName = <cfqueryparam value = "#LastName#" cfsqltype = "cf_sql_char" maxLength = "17"/> </cfquery> In this case, cfqueryparam performs the following checks: - It ensures that LastName contains a string. - It ensures that the string is 17 characters or less. - It escapes the string with single-quotation marks so that it appears as a single value to the database. Even if a hacker passes a bad URL, it appears as follows: WHERE LastName = 'Smith DELETE FROM MyCustomerTable'. >That's the thing... When is cfqueryparam REALLY necessary for security? I >want to see some examples that require cfqueryparam. > >Russ > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:250728 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
