SQL injection attacks occur when a client manipulates a web page to pass invalid data to a query. This can be down to force errors, bypass security, or even delete data. The <cfqueryparam> tag prevents SQL injection by binding values into the query; the bound values cannot be interpreted as SQL. It also results in faster queries.

Bad Code:

<cfquery name="QCheckUser" datasource="blahblah">
SELECT *
FROM USERS
WHERE username = '#FORM.username#'
AND password = '#FORM.password#'
</cfquery>

GOOD CODE:

<cfquery name="QCheckUser" datasource="blahblah">
SELECT *
FROM USERS
WHERE username = <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.username#">
AND password = <cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.password#">
</cfquery>