The CFSQLTYPE is used to validate the input. Use of the cfqueryparam tag will always have the effect of preventing SQL injection. e.g.
The following uses a cfquery param tag without the cfsqltype attribute: test (Records=1, Time=10ms) SQL = SELECT * FROM event where eventid = ? Query Parameter Value(s) - Parameter #1 = 123 Steve > -----Original Message----- > From: Terry Riley [mailto:[EMAIL PROTECTED] > Sent: 12 November 2003 09:10 > To: [EMAIL PROTECTED] > Subject: Re: [ cf-dev ] Use of <cfqueryparam> > > > But only if qualified by the cfsqltype, as far as I can tell. > > Anyone else care to comment? > > Cheers > Terry > > ----------Original Message--------- > > > Terry, > > > > As I understand it using <cfqueryparam stops any SQL being > hacked in to > > the > > query through the url or form var. It ensures that the > passed variable > > is > > treated as a variable and not read as anything else. > > > > d > > > > ----- Original Message ----- > > From: "Terry Riley" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, November 11, 2003 1:30 PM > > Subject: [ cf-dev ] Use of <cfqueryparam> > > > > > > > I've seen a lot of code lately where the query (either extracting, > > > inserting or updating information) uses the > > > > > > <cfqueryparam value="#xxx#"> in the WHERE clause, without > qualifying > > > > the > > > parameter with a cfsqltype. > > > > > > I can understand the use of the cfqueryparam with a cfsqltype and > > > other > > > attributes as one way of preventing cross-site scripting (adding > > > additional text to the string to do something evil), but > see no point > > > in > > > using > > > > > > 'WHERE ID = <cfqueryparam value="#url.ID#">' > > > > > > as opposed to > > > > > > 'WHERE ID = "#url.ID#"' > > > > > > Is there one? Is it faster? Manuals and googles don't > seem to come up > > > with > > > an answer..... > > > > > > Cheers > > > Terry > > > > -- > ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > For human help, e-mail: [EMAIL PROTECTED] > > -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
