> i will have to take your word for it since i have probably > never use cfquery param, nor intend to. i personally always > use stored procedures and i do all of my validation myself. > if cfqueryparam works for you, then use it and god bless. i > have been taught differently and personally i don't think i > would trust it.
The validation done by creating a prepared statement is, as far as I can tell, identical to that done within a stored procedure. When you use CFQUERYPARAM, you're creating a prepared statement; the CFQUERYPARAM itself is what you might call a "bound parameter" to that statement. In any case, never say never, as you may not be able to guarantee that you'll always have the freedom to dictate whether you'll use stored procedures. You may, for example, work against a database in which you don't have rights to create stored procedures, or you may work against a database that doesn't support the use of stored procedures. At that time, you'll need to deal with validation elsewhere. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists