Is there anyway for someone to hack a quoted query? <cfquery> select * from table where name='#form.lastname#' </cfquery>
vs <cfquery> select * from table where name=<cfqueryparam cfsqltype="cf_sql_varchar" maxlength="255" value="#form.lastname#"/> </cfquery> Seems anything I throw at the quoted query gets escaped correctly... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285730 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
