But only if qualified by the cfsqltype, as far as I can tell. Anyone else care to comment?
Cheers Terry ----------Original Message--------- > Terry, > > As I understand it using <cfqueryparam stops any SQL being hacked in to > the > query through the url or form var. It ensures that the passed variable > is > treated as a variable and not read as anything else. > > d > > ----- Original Message ----- > From: "Terry Riley" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, November 11, 2003 1:30 PM > Subject: [ cf-dev ] Use of <cfqueryparam> > > > > I've seen a lot of code lately where the query (either extracting, > > inserting or updating information) uses the > > > > <cfqueryparam value="#xxx#"> in the WHERE clause, without qualifying > > > the > > parameter with a cfsqltype. > > > > I can understand the use of the cfqueryparam with a cfsqltype and > > other > > attributes as one way of preventing cross-site scripting (adding > > additional text to the string to do something evil), but see no point > > in > > using > > > > 'WHERE ID = <cfqueryparam value="#url.ID#">' > > > > as opposed to > > > > 'WHERE ID = "#url.ID#"' > > > > Is there one? Is it faster? Manuals and googles don't seem to come up > > with > > an answer..... > > > > Cheers > > Terry -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
