Jeez, and value="URL.TryToHackThis" should be value="#URL.TryToHackThis#"
That's what I get for answering at midnight. On Thu, Jul 24, 2008 at 11:57 PM, James Holmes <[EMAIL PROTECTED]> wrote: > Obviously cfsqltype="varchar" should be cfsqltype="cf_sql_varchar" (my typo). > > On Thu, Jul 24, 2008 at 11:55 PM, James Holmes <[EMAIL PROTECTED]> wrote: >> I'll say it again. >> >> ANY string passed into cfqueryparam cannot be executed as SQL: >> >> select somecolumn >> from sometable >> where someothercolumn = <cfqueryparam cfsqltype="varchar" >> value="URL.TryToHackThis"> >> >> It is irrelevant what gets passed in the URL.TryToHackThis; it cannot >> be executed as a SQL statement. It's bound to the query as a >> parameter. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309620 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
