In a CFC file using <cffunction> with <cfargument type="blah"> should any queries inside the function (which is in the cfc) be using <cfqueryparam>? Or is the data already validated by the <cfargument> tag? I want to make sure I'm protecting my users, but don't know if theres a such thing as "overkill" here.
Repeat after me - there is no overkill when it comes to security. Another example would if you do validation on the argument before sending it to the CFC. Does it make sense to validate again in the CFC. Yes. As it stands, cfargument can validate data types, but can’t validate things like “Greater than zero” or “Whole numbers only.”
Also - you are forgetting the cfqueryparam is more than just a security thing. It also speeds up the query execution (for databases that support it).