Does cfargument type attribute remove the need for cfqueryparam?

couldn’t find anything already discussed on this forum about this.

I don’t think it does.

The TYPE attribute for CFARGUMENT merely performs a type check on the data coming through; if it does not match, it throws an error.

The CFQUERYPARAM helps protect against SQL injection, ensuring the value provided matches the datatype defined in the CFSQLTYPE attribute and that the value does not break CF/RDBMS when using special characters like apostrophes and hashes.


No it doesn’t

For example - if you specify an argument of type string, that’s used within your query and is accessible through a URL / Forms value then I can inject…

<cffunction name="myQuery">
<cfargument name="myValue" type="string" />
cfset q = queryNew('myQuery') />
<cfquery name="q">
select *
from myTable
Where id = "#arguments.myValue#"
<cfreturn q />

Could be allow me to inject if you have code like


It’s worth slapping cfqueryparam in anything dynamic you’re passing in. Good habit to get into and its better to have it than not.