Right. However about CFQUERYPARAM, keep in mind that: - this will prevent SQL injection, not all form of attacks; - CFQUERYPARAM makes all values look like "parameter 1"... in the error messages, instead of the real values, not really handful when debugging; - CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; - disabling multiple statement execution in the database will prevent from SQL injection as well. - ending a query on an error because of CFQUERYPARAM will prevent the injection, but will not give you any hint that it was really an attack.
Personally I prefer checking crucial form and url parameters and eventually ban the intruder before submiting the query. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344119 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
