Eric Bourland
asked on
Should I use CFQUERYPARAM in a cfinvokeargument value?
Need some advice. Please see code below.
Is it secure?
Should I use CFQUERYPARAM in a cfinvokeargument value? Is it possible or advisable to do so?
I am working to make my applications more secure. Thanks for any advice.
Eric
Is it secure?
Should I use CFQUERYPARAM in a cfinvokeargument value? Is it possible or advisable to do so?
I am working to make my applications more secure. Thanks for any advice.
Eric
<!---
A form process page that updates web address links in a database table.
--->
<!--- Edit or update? --->
<cfif IsDefined("FORM.LinkID")>
<cfset method="update">
<cfelse>
<cfset method="add">
</cfif>
<!--- Proceed --->
<cfinvoke component="/client/updateLink"
method="#method#">
<!--- LinkID only if update method --->
<cfif IsDefined("FORM.LinkID")>
<cfinvokeargument name="LinkID"
value="#FORM.LinkID#">
</cfif>
<cfinvokeargument name="Title"
value="#Trim(FORM.Title)#">
<cfinvokeargument name="WebAddress"
value="#Trim(FORM.WebAddress)#">
<cfinvokeargument name="Description"
value="#Trim(FORM.Description)#">
<cfinvokeargument name="DateAdded"
value="#DateFormat(FORM.DateAdded)#">
</cfinvoke>
<!--- When done go back to link list --->
<cflocation url="/admin/manageLink.cfm">
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Always a pleasure :)
ASKER
I was 90% sure of this.
<cfinvokeargument name="Title"
value=<cfqueryparam cfsqltype="cf_sql_varchar"
... is not valid. Got it. That was my question. =)
I do use CFQUERYPARAM with all INSERT, UPDATE, and DELETE queries -- within a CFC or a plain old ColdFusion page.
Thank you as always, _agx_.
Eric