Actually, I believe cfqueryparam uses bindings, which effectively passes parameters to the SQL engine. In your example, you are still open to SQL injection attacks.
However, if you need to use your value several times, you can use declare / set to define a variable in SQL, rather than using multiple cfqueryparam statements: <cfquery ...> declare @p1 nvarchar(50) set @p1 = <cfqueryparam cfsqltype="cf_sql_varchar" value="#userSuppliedValue#" /> select * from tableName where column = @p1 and othercolumn <> @p1 </cfquery> Francois Levesque http://blog.critical-web.com/ On Thu, Apr 16, 2009 at 2:29 PM, Jason Fisher <ja...@wanax.com> wrote: > > And for all those reading this and using MSSQL, an inline statement would > look like this: > > <cfquery ...> > declare @p1 nvarchar(50) > > set @p1 = '#userSuppliedValue#' > > select * > from tableName > where column = @p1 > </cfquery> > > So, basically <cfqueryparam> is creating the Declare and Set for you. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321678 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
