> I get the fact that it's important to prevent SQL injection > attacks, etc etc. While I certainly see the value of that, I > must admit that I'm not sold on cfqueryparam for that reason > alone. Our web application tends to check incoming data > before it even gets to a SQL statement. So, while I have > started using cfqp everywhere, I probably wouldn't use it for > security alone. Hate me if you must. (-;
It's one thing to check incoming data (not to mention "tend to check" said data) and another thing to separate data from SQL code, which is what CFQUERYPARAM does. The former is no substitute for the latter. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Check out the new features and enhancements in the latest product release - download the "What's New PDF" now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291996 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
