This isn't really related to anything in particular. Someone just posted this on the cf-talk list:
We have a large content management application used by retailers to manage their website content and website storefront. The application uses ColdFusion 7.02, MSSQL Server 2000 and IIS. We have a load balanced environment with 5 webservers. The application has over 10,000 cfquery tags and until recently we did not use cfqueryparam. We upgraded the application to use cfqueryparam in all queries and noticed a significant increase in the JRUN Working Set usage on all webservers. Prior to the upgrade the JRUN working set was flat at roughly 550 mb and after the change the JRUN working set climbed over 800mb.
I use cfqueryparam religiously, so obviously any application I've written will probably do the same thing... but that's not why I'm posting this... I'm posting it because when I read this post I thought to myself "wow, 10,000... I have 1... not 1k, not 100, ONE"... made me chuckle. I get all the benefits of cfqueryparam but I never write a single (cryptic and redundant) cfsqltype attribute. :)
It's not just cool, it's awesome because it's really important to include them (to protect yourself against sql injection attacks) and yet so many of the places I've worked, like the guy who posted this to the mailing list, just haven't. And usually the reason is simple "laziness". People don't use them because they don't like being bothered to write the extra 20+ characters of code for each one. I don't blame them, it's tedious, cryptic and annoying, not to mention that cfsqltype adds coupling. So I don't. But I still use cfqueryparam. :)
(With the exception of cases where I'm using a Query of Query.)