>So, on CF7, cfqueryparam does prevent some kinds of SQL injection in >QoQ in a meaningful way.
Well, that's not a true SQL injection though, since the database layer is not involved. Probably classified more as just code injection. Really bad coding practice for sure. ;-) But you are right, it's probably not a bad idea to use cfqueryparam on any user input. In the case I was working with, they were internal, not user-generated variables, so I just wondered if there was any other reason to use it. Mary Jo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:267246 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
