Ok, I understand why you think it's ridiculous, but here's a reason to do it.
What if you have: UPDATE myTable SET myValue = #someOtherQuery.someOtherValue# and Billy New-Developer comes along and decides that someOtherQuery.someOtherValue could really do with coming directly from the user? Will he add the cfqp if it's not already there? Maybe, maybe not. Having said that, I have queries that aren't cfqp'd because the data comes from in the page. Just a though. Adrian -----Original Message----- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: 22 July 2008 02:38 To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... >>Bottom line: ***always*** use cfqueryparam. Period. There are no acceptable "exceptions to the rule". Even with something like UPDATE myTable SET myDate = <cfqueryparam value = "#now()#" CFSQLType = "CF_SQL_TIMESTAMP">? OR this: UPDATE myTable SET myValue = <cfqueryparam value = "#someOtherQuery.someOtherValue#" CFSQLType = "CF_SQL_INTEGER ">? Just ridiculous. OK, it "improves performance", if you care about micro seconds, but there is no security aspect here. The increase of performance can make a significant difference only for very big queries or very repetitive code. As the docs says: "Bind variable usage enhances performance when executing a cfquery statement multiple times." Otherwise, the advantage is only for security purpose,... and there is a risk only for variables set by a visitor. If the content is set by your CF program itself, where is the risk? It is like putting a lock on an empty box. Personally, I care mode about code readability than useless security. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309582 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
