Terry, As I understand it using <cfqueryparam stops any SQL being hacked in to the query through the url or form var. It ensures that the passed variable is treated as a variable and not read as anything else.
d ----- Original Message ----- From: "Terry Riley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 11, 2003 1:30 PM Subject: [ cf-dev ] Use of <cfqueryparam> > I've seen a lot of code lately where the query (either extracting, > inserting or updating information) uses the > > <cfqueryparam value="#xxx#"> in the WHERE clause, without qualifying the > parameter with a cfsqltype. > > I can understand the use of the cfqueryparam with a cfsqltype and other > attributes as one way of preventing cross-site scripting (adding > additional text to the string to do something evil), but see no point in > using > > 'WHERE ID = <cfqueryparam value="#url.ID#">' > > as opposed to > > 'WHERE ID = "#url.ID#"' > > Is there one? Is it faster? Manuals and googles don't seem to come up with > an answer..... > > Cheers > Terry > > -- > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > For human help, e-mail: [EMAIL PROTECTED] > > -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
