Larry, You are already using cfqueryparam so you are "protected" for the most part. I say most part, because you could still extract the data from the db and have bad consequences if you are not considerate of the underlying data and how you use it. Like querying malicious data and using it in another cfquery without cfqueryparam.
In general it is best practice to save data as it was transmitted and in as raw a format as possible and leave the logic up to the application on how to proceess and present data. Could get rebuttals on that but it is my preference. That said, it's not that you shouldn't or can't html encode. You just need to make the decision based on the requirements at hand. If you're storing html code for presentation later, this may very well make sense, where doing so for a company name probably does not. +1 on being so security aware. Byron ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359556 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
