> >>Much simpler (but the same) meaning, is just that you > >>should NEVER
>>>have hashes inside CFQUERY tags, unless they are also >>>inside >>>CFQUERYPARAM tags. > Beside the fact that use of CFQUERYPARAM may make queries > more efficient, > the main advantage is to prevent SQL injection. > But what if one uses an Access database ? AFAIK, SQL > injection uses multiple SQL statements, > but since multiple SQL statements are not supported in > Access datasources, is > CFQUERYPARAM so important with Access ? Well... in theory cfqueryparam should still make those queries faster even when using Access... but entirely asside from the performance issue, sql injection doesn't _need_ to use multiple sql statements... here's an example: <cfquery ...> delete * from mytable where mycolumn = #url.x# </cfquery> And the simple sql injection attack for this page is: page.cfm?x=1 or 1=1 Of course the browser or other http engine will need to urlencode the value "1 or 1=1" so that the spaces and the equal sign don't mangle the url, however, as far as I know MS Access does support the statement "1=1" and I know it supports the or keyword in the where clause, so the end result would be that the Access driver will attempt to delete every record in that table. Foreign key constraints may prevent the deletion of some of them, but without a cftransaction you may still lose extra records. Much better to just use the cfqueryparam. s. isaac dealey 954.522.6080 new epoch : isn't it time for a change? add features without fixtures with the onTap open source framework http://www.fusiontap.com http://coldfusion.sys-con.com/author/4806Dealey.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:210639 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54