Typically I use integer ids in my application, but for this one piece of

Question

0

Asked: May 24, 20262026-05-24T10:53:19+00:00 2026-05-24T10:53:19+00:00

Typically I use integer ids in my application, but for this one piece of

0

Typically I use integer ids in my application, but for this one piece of dev I am doing look ups on a text field – a tag name.

I do make use of cfqueryparam but considering that it’s a text field, could it be vulnerable to sql injection attacks, and if so, how do other people get around this other than tediously searching the string for SQL commands.

My query looks something like:

SELECT tagId -- etc etc
FROM tag
WHERE tagName = <cfqueryparam cfsqltype="cf_sql_varchar" maxlength="50" value="#arguments.tagName#" />

Thanks

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T10:53:20+00:00

Editorial Team

2026-05-24T10:53:20+00:00Added an answer on May 24, 2026 at 10:53 am

That’s safe by virtue of the fact that you’re using <cfqueryparam>. That’s what the tag does. It sends the value as text (or whatever the cfsqltype happens to be), not a command to be executed.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Typically I use integer ids in my application, but for this one piece of

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply