I believe it is just as important to put proper error handling into your ColdFusion application as it is to use CFQueryParam with your CFQuery's SQL statements. However, I'm fairly certain friendly error handling messages are the last thing on your mind since you've been updating your CFQuery's to use CFQueryParam, right? Would you believe it's the ever-popular blue and grey ColdFusion error pages that actually contributed to the recent rise in SQL injection attacks on ColdFusion web sites? Well, check out this quote take from 0x000000 # The Hacker Webzine's article Attacking ColdFusion, "I have never seen so much information regarding the site's structure, used database, table names, drivers, server setup and other information useful for attackers." So the last thing we, as ColdFusion developers, would want to do is serve up a big, hacker-friendly sign that says "Hack Me!" Right?
The first thing I would recommend to do is begin checking your site(s) to see what happens when invalid data or arguments are passed through the URL, FORM, etc. It's not too difficult to do. For example, if you have a URL similar to http://www.yourdomain.com/details/?id=45, what happens if you change it to http://www.yourdomain.com/details/?id=45x? If your see the hacker-friendly blue and grey screen, then it's time for some better error handling. Sure, your database might be protected today, but why give the evil-doers more information than they need?
The best part is, Raymond Camden (aka ColdFusionJedi) has already written "The Complete Guide to Adding Error Handling to Your ColdFusion Application." Ray walks you through the trenches of handling errors and you will come out with an armful of techniques to implement into your current and future projects.