> > out of interest what is the difference in using the > > cfqueryparam and not? > > Well, the biggest reason is that it provides significant > protection against SQL injection attacks. It basically does > in-line data validation.
Ben (and everyone else who's posted) is right that you should use this. It's worth pointing out, though, that Ben has listed two different things above, and those things are separate. CFQUERYPARAM separates data values from executable SQL code, and that's how it prevents SQL injection attacks. This isn't "significant protection", it's complete protection. By separating data values from executable code, you are clearly telling the database that data values cannot be executed, so it doesn't matter whether they contain SQL commands - they simply won't be executed. Almost as a side effect, you get data validation before you send your data to the database. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:296983 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4