It's only "not safe" if you don't verify it's safe before using it. I imagine you'd be fine if you simply validate that form.schema
value to be a sequence of safe characters and nothing else? That's a simple regex: ^\w+$
(allows for A-Z, 0-9, and underscore).
And you can't use a <cfqueryparam>
as those are for parameter values, not random bits of the SQL statement. Ref: "What one can and cannot do with <cfqueryparam>
"