Absolutely. Minimally, just using a cfqueryparam tag with the value attributes is enough to let the SQL server know the difference between the SQL statement itself and the parameters being passed into it. With that distinction, you may get crap data in your database if it is an insert or an update, but arbitrary and malicious code will NEVER get into the cfquery and be executed as SQL.
The maxlengh and type are just additional checks which will cause an error to be thrown from ColdFusion when bad data is passed in. They are a very good idea, but they aren't required. ~Brad ----- Original Message ----- From: "Radek Valachovic" <[EMAIL PROTECTED]> To: "CF-Talk" <cf-talk@houseoffusion.com> Sent: Thursday, July 24, 2008 1:26 PM Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... > So if I wont use maxlenght still it is gonna be secured? thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309654 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4