No it does not, use cfqueryparam ..:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com
-----Original Message----- From: Chris Norloff [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 11:51 AM To: CF-Talk Subject: CFC protect from SQL Injection? Does the parameter typing in a CF Component protect you from a SQL Injection attack? Below, both variables cfcStage_From and cfcID have their type set. It seems cfcStage_From would be protected as it's typed as numeric. However, cfcID is typed as string, and it seems it could contain a single-quote that would allow a malicious user to terminate the data entry and add on a second SQL statement, all inside the string cfcID. Would cfcID be better inside double quotes (if they work)? Thoughts? References? Links? Thanks, Chris <cfcomponent displayname="test"> <cfargument name="cfcStage_From" type="numeric" /> <cfargument name="cfcID" type="string" /> ..... <cfquery name="qry_test1" datasource="test"> INSERT INTO table ( STAGE_FROM_ID ) Values (#cfcStage_From#) </cfquery> <cfquery name="qry_test2" datasource="test"> Update table set From_stage =#cfcStage_From# Where ID = '#cfcID#' </cfquery> </cfcomponent> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299621 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4