That protects against SQL injection, but it doesn't help caching compiled execution plans, which is the main reason for not hard-coding values into the SQL string instead of passing them as parameters.
Not parameterising queries properly is just a really poor practice. And it should not ever be encouraged (even with very thorough mitigating explanations such as the one you give here). -- Adam On 22 January 2013 22:57, Nick Voss <[email protected]> wrote: > > If you really can't build it using conditions/loops/etc within your query > tag then build it like you are but eliminate the cfqueryparam tags, and > HEAVILY validate the variables being put into those tags. Then you can > concatenate a string together that will work. You'll just need to be super > careful to ensure no invalid text is being put into the variables. Remove > anything non-numeric from number fields with a regular expression, remove > any html from text, eliminate any single quotes from text. That sort of > thing. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354020 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
