Well cgi.query_string is a copy of the url parameters and
there values.
But what are you "checking" for sql injection in the URL
values. The
usual best practice is to use <cfqueryparam ...> to
prevent the
injection from working. It is very difficult to try and
detect all the
different ways a hacker can come at you.