On 1/23/07, Judah McAuley <[EMAIL PROTECTED]> wrote: > Richard Cooper wrote: > > Also, you didn't use the cfqueryparam tag > > > > Like this: > > > > '#session.lname#', > > <cfqueryparam value="#createodbcdatetime(now())#" cfsqltype="cf_sql_date" > > />) > > There's no need to use cfqueryparam (as far as I know) in this situation > because its not user supplied data. Now() is a CF function as is > CreateODBCDateTime, so I don't see any chance for a user to override > this value with a malicious one. Am I missing something?
don't forget that preventing SQL injection attacks is only one benefit of cfqueryparam. creating bind variables to increase performance is another :) -- Charlie Griefer ================================================ "...All the world shall be your enemy, Prince with a Thousand Enemies, and whenever they catch you, they will kill you. But first they must catch you, digger, listener, runner, prince with a swift warning. Be cunning and full of tricks and your people shall never be destroyed." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http:http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:267401 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
