> Since CFQUERYPARAM also generally provides a performance > benefit, why wouldn't you just use that? What do you see > as the advantage of your data scrubbing?
It depends on the project. If the variables are scrubbed from the beginning, some basic error checking can be run that would act before the query is even run. For example, if you have a product detail page that is expecting a product ID... <cfset url.id = abs(val(trim(url.id)))> <cfif not url.id)> <cflocation url="/"> </cfif> Now you've guaranteed that there will be some value to pass to the query, and If someone tries to get tricky with a SQL injection attack, they get booted to the home page before the query is ever run. For most of my projects I use a combination of input scrubbing and SQL optimization (QUERYPARAM and SPs where needed). As with anything else, what you do depends on how the application will be used, what kind of traffic you're expecting, and how much time and money the client wants to throw at it. -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:222740 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54