>- see footer for list info -< > But even if you're using MySQL, it's still worth using them as a security > measure > -- <cfqueryparam> will make sure any information passed to the DB in the SQL > statement is correctly formatted (e.g. escaping necessaru characters etc) and > so > help against possible SQL injection attacksl. Also, by using the cfsqltype="" > argument will check that what you're actually passing in the value="" argument > is valid for the data type. > > *All* my queries through CF are performed using <cfqueryparam>.
Yeah, good points. Thanks also to John and Salvatore, btw. I have been using them in all queries for some time now, but wasn't sure if it was a waste of time using them in non-select queries; but, hey, if they prevent SQL injection attacks, that's a good enough reason to continue. I always assumed that they stop ";drop table x"-type attacks, even when cfsqltype is set to varchar, but will do a quick test to satisfy myself. Oh, and for those whose posts hit the list as an attachment, I recently changed Outlook to send e-mails as UTF-8, and noticed that the last message appears as an attachment. Have now changed it to UTF-7 to see if that still comes through as an attachment. -- Aidan ________________________________________________________________________ This e-mail has been scanned for all viruses by Star. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
