> > Otherwise sooner or later someone will enter
> > mytitle';drop all;commit; as a book title.
>
> I have an issue with people using cfqueryparam for this
> reason.
>
> You should be doing data validation long before you hit
> the query and a try/catch around a query and cfqueryparam
> is not data validation! That is just letting your application
> accept bad data, fall over and then capture that failure of
> the application.
While I wouldn't disagree that data validation ideally should be done before
any data is used within your application, I would still strongly recommend
that you use CFQUERYPARAM to ensure that no bad data goes to your database
server. Redundancy is a good thing, usually. In addition, given that we live
in an imperfect world, I'd rather have everyone using CFQUERYPARAM to filter
their data than not using anything at all, which appears to be the norm.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
