Will, Justin is right, just because your form is behind a username/password it by no means guarantees that the people accessing that form aren't malicious. As for whether there are scenarios where you shouldn't use queryparam? That's probably open for debate (it's certainly been debated before), however I've not come across a situation (except the caching issue as mentioned) where it's been of any benefit to NOT use queryparam.
- Gabriel -----Original Message----- From: Justin Scott [mailto:jscott-li...@gravityfree.com] Sent: Wednesday, 10 June 2009 12:42 PM To: cf-talk Subject: RE: CFLOOP inside a CFQuery > WOW! Thanks for all the feedback! One question about CFQUERYPARAM, I > use this when I accept anything that is available to the general > public, but is it necessary to use this when the form is only > accessible via username/password? I would use it regardless of who is going to be hitting those queries. You never know when some nefarious person is going to break into an admin account and start probing around. > Is there ever a reason not to use CFQUERYPARAM? Before ColdFusion 8 was released, you could not use CFQUERYPARAM in conjunction with a cached query. CF8 now allows that (yea!). -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323312 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
