Then you have nothing to worry about. If they can't actually inject an SQL in via a TEXT string (like a comment form or something like that) then there is nothing they can do.
but yes, CFQUERYPARAM is your ultimate weapon against injections, because it treats dynamic data differently underneath the covers, and doesn't simply append it to the string. ... even for MS SqlServer (regarding your other message). so unlike the Ares I-X launch, you are good to go! :) Jason King wrote: > The only thing that users can do to affect a query is change an ID value > in the URL.. None of my code relies on the queries being passed via a > URL string or anything like that. > And I guess the cfqueryparam just checks to make sure the variable is > what it says it is. I just set it to match what the variable type should > be, such as integer, and if that fails, the query fails? --~--~---------~--~----~------------~-------~--~----~ Open BlueDragon Public Mailing List http://groups.google.com/group/openbd?hl=en official site @ http://www.openbluedragon.org/ !! save a network - trim replies before posting !! -~----------~----~----~----~------~----~------~--~---
