cfqueryparam will not prevent the malicious data from getting entered into the table. However it does prevent the malicious text from executing as T-SQL. cfqueryparam does not parse or cleanse data in any way.
Basically it passes the text as a variable to the sql statement. Thus preventing any malicious code in the text from executing. So instead of T-SQL actually executing like this: select * from myTable where x='some'; delete * from myTable --' cfqueryparam is actually running T-SQL something like this. select * from myType where x= @aVar CF and the database driver are assigning @aVar your text string, @aVar = " some'; delete * from myTable -- ". So the value of the string inside the variable can never be execute, as it is not part of the actual T-SQL syntax. Just a variable value at that point. You can specify a data type to the query param. So if you specified cf_sql_integer and attempted to insert text with that parameter you would get an T-SQL error data type mismatch of sorts. Hope this helps explain a bit. ~Byron ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359558 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
