WOW! Thanks for all the feedback! One question about CFQUERYPARAM, I use this when I accept anything that is available to the general public, but is it necessary to use this when the form is only accessible via username/password?
Is there ever a reason not to use CFQUERYPARAM? Thanks everyone! >You don't need evaluate for dynamically created form variables, in almost >all cases the struct syntax #form['type'&idx]# will suffice and is more >efficient. For this particular scenario, evaluate is an unnecessary overhead >and should be avoided. > ><cfquery datasource="#request.datasource#"> > <cfloop from="1" to="#rows#" index="idx"> > INSERT INTO tbl_ballotOrder ( > type, > number, > issue > ) VALUES ( > <cfqueryparam value="#form['type'&idx]#" >cfsqltype="cf_sql_varchar" />, > <cfqueryparam value="#form['number'&idx]#" >cfsqltype="cf_sql_integer" />, > <cfqueryparam value="#form['issue'&idx]#" >cfsqltype="cf_sql_varchar" /> > ) > </cfloop> > ></cfquery> > >May I also point out the use of CFQUERYPARAM. It's basic principles; unless >you've got a damn fine reason not to, always use cfqueryparam. Protect >yourself from SQL injection attacks, make your life easier. > >No offence intended, but Will I urge you to ignore the 'evaluate' based >advice. > >Cheers, >Gabriel > >I agree with NK pay attention to the evaluate function. It works like a >charm for dynamically created form variables. I use it often. :) >-- >Ryan LeTulle > > > > >part). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323310 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
