cfqueryparam questions/help

Via this question I've been told to start using cfqueryparam for my data, to prevent SQL injection attacks.

How do I use it for my forms? Right now I've been going over Ben Forta's book, Vol 1 and been pa开发者_Python百科ssing data to my form, then to a form processor that calls a CFC. The CFC takes them in as a cfargument then injects that into the database with any type="x" validation.

Io use the cfqueryparam, I use that on the query itself and not even declare cfargument?

You can still use a CFC, but remember that string data passed as a function argument will still need <cfqueryparam>. Here is an example:

<cffunction name="saveData" access="public" returntype="void" output="false"> 
 <cfargument name="formVar" type="string" required="true" />

 <cfquery name="LOCAL.qSave" datasource="myDSN">

  insert into myTable (col1)
  values (<cfqueryparam cfsqltype="cf_sql_varchar" value="#ARGUMENTS.formVar#" />)

 </cfquery>

</cffunction>

The important habit to get into is to always use <cfqueryparam>, even in CFCs.

Here is some more info on those edge-cases where you might find it hard to use <cfqueryparam>.

Hope that helps!