Yes he is sure. And he is correct. With a prepared statement, an array of values is sent to the db along with a query string that looks like "SELECT * FROM fu WHERE bar = ?". In preparing the statement, each value has to be added to the array using a type specific method (in java). Therefore CF is pretty much forced to validate them at this point.
Dominic 2009/4/16 David McGuigan <davidmcgui...@gmail.com>: > > :::It builds a prepared statement. It doesn't scan or filter anything. > > You could build a prepared statement yourself. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > > Are you sure? When I pass a string into a cfqueryparam of type cf_sql_integer > I get the error: Invalid data etc for CFSQLTYPE CF_SQL_INTEGER. > Which leads me to believe it is being scanned/validated before being sent to > MySQL, and also makes me wonder whether cfqueryparam even uses prepared > statements. It seems and not just inline SQL variables. > ( The exception is a coldfusion.sql.Parameter$DataTypeMismatchException ) > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321686 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4