sql injection avoiding

cfqueryparam does a lot of good things and should be used unless there is a reason not to, but it has it's limitations wrt to protections against malicious code.  For example, it does nothing to prevent javascript from being submitted as text.

For your specific example, entering sql into a text box destined for a char field in a database is not a big deal.  The command won't execute.

It protects by explicitly telling the database "the string I am about to send you is just a string, to be substituted into a query as a variable". That way the database doesn't try and execute part of that string as SQL as can happen without.

There is also the cfsqltype attribute - if you're sending a number, but with the value "DROP TABLE users" then CF can stop it before it even gets to the database, so basically makes your variables type-safe to a degree.

If you want a watertight solution, go for both. Regex so you can nicely tell the user they've inputted something invalid, and queryparam as a last resort to stop someone screwing over your data.