It has been interesting to see the results of the recent series of SQL injection attacks. I have been using <cfqueryparam> for all dynamic data for years, so I wasn't worried about the SQL injection. Still, even for sites with <cfqueryparam>, error email messages remain a problem.
Although I have gotten some errors from some sites, none from my newer sites. The reason is that earlier steps I have taken prevent errors from invalid URL variables.
The Page Controllers that I use have their own param() method that works mostly like <cfparam>.
It has three arguments:
- name: The name of the variable
- type: The variable type
- default: The default value
The big difference from this to <cfparam> is that <:cfparam> throws an error if the variable exists but isn't of the appropriate type whereas the param() method of the Page Controller will just go ahead and set the default value.
I would love it if this behavior was available as an option for <cfparam> as well.
Although this is my preferred technique, on some older sites I relied on try/catch:
<cfparam name="url.id" type="numeric">
<cflocation url="index.cfm" addtoken="No">
A cleaner approach that I have also used is Val(), which is effective in preventing errors:
<cfset URL.id = Val(URL.id)>
<cfset URL.id = 0>