You are safe using val for number fields. Nothing would crash it. Val evaluates to 0 if what you pass in cannot be recognized as a number.
-Mike Chabot On 3/16/07, Mik Muller <[EMAIL PROTECTED]> wrote: > Ok ok, so I'm a baaad boy, but I hadn't been using cfqueryparam all this > time, but with a good reason. You cannot cache your queries if you do. > > I'm sure this has come up before, but I want to ask anyway... > > I'd prefer not to cfqueryparam all my queries because I have quite a few that > run for every page, some of which are pretty big. Currently I cache every > query I can get away with caching and the sites run fairly snappy. Some day > soon I'll get around to a real tune-up as far as performance, but for now I'm > worried about security. > > For the queries based on numeric ID, can't I get away with putting a val( ) > around my url ID variables and be ok (this is what I'm doing now)? I mean, > val( ) strips out everything starting from the first non numeric character, > which would essentially remove all sql hacks. Assuming I could ensure val( ) > didn't crash (what could crash it) would I be safe enough with just that? > > Mik > > > ie; > > <cfquery name="qs" datasource="#request.d.dbname#" dbtype="ODBC"> > SELECT something > FROM somewhere > WHERE ID = <cfqueryparam cfsqltype="CF_SQL_INTEGER" null="No" > value="#url.ID#"> > </cfquery> > > vs. > > > <cfquery name="qs" datasource="#request.d.dbname#" dbtype="ODBC" > cachedwithin="#session.cache_long#"> > SELECT something > FROM somewhere > WHERE ID = #val(url.ID)#" > </cfquery> > > > > > > > > -------- > Michael Muller > Admin, MontagueMA.net Website > work (413) 863-0030 > cell (413) 320-5336 > skype: michaelBmuller > http://www.MontagueMA.net > > Eschew Obfuscation > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:272784 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4