I'll say it again. ANY string passed into cfqueryparam cannot be executed as SQL:
select somecolumn from sometable where someothercolumn = <cfqueryparam cfsqltype="varchar" value="URL.TryToHackThis"> It is irrelevant what gets passed in the URL.TryToHackThis; it cannot be executed as a SQL statement. It's bound to the query as a parameter. On Thu, Jul 24, 2008 at 11:44 PM, Claude Schneegans <[EMAIL PROTECTED]> wrote: > >>So you know that it *always* prevents SQL injection in a standard > query (select, update or delete). > > Really? Can you give an example of injection that will be prevented? -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309618 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4