>> Does making sure that it's a varchar do the same thing? IOW, is >> it making sure that it's not some sort of run statement? > >Yes, it simply tells the database server that the value is just that - a >value rather than an SQL command.
ah great, thanks for the clarity. I have alot of retro-fitting to do on DBs that I worked on in the past. >I haven't seen the original query that you're working with (presumably it's >somewhere within a previous message), but all you have to do is replace your >literal values with CFQUERYPARAM tags - you shouldn't have to change your >conditional logic around to accommodate this, I don't think. yeah, I build the WHERE into a long string <cfset the_where = "WHERE mycolumn = myvalue"> <cfset the_where = "#the_where # AND mycolumn = myvalue"> etc. The new way, I just CFIF the actual column and values into the SQL statement - like in your example on the MM page. Thanks for the help. Hope you like this weekends snow - looks to be a good one. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware: a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:191339 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54