>>Bottom line: ***always*** use cfqueryparam. Period. There are no acceptable "exceptions to the rule".
Even with something like UPDATE myTable SET myDate = <cfqueryparam value = "#now()#" CFSQLType = "CF_SQL_TIMESTAMP">? OR this: UPDATE myTable SET myValue = <cfqueryparam value = "#someOtherQuery.someOtherValue#" CFSQLType = "CF_SQL_INTEGER ">? Just ridiculous. OK, it "improves performance", if you care about micro seconds, but there is no security aspect here. The increase of performance can make a significant difference only for very big queries or very repetitive code. As the docs says: "Bind variable usage enhances performance when executing a cfquery statement multiple times." Otherwise, the advantage is only for security purpose,... and there is a risk only for variables set by a visitor. If the content is set by your CF program itself, where is the risk? It is like putting a lock on an empty box. Personally, I care mode about code readability than useless security. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309425 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
