I want to be able to add an SQL schema via <cfquery>. I know this is not safe:
<cfquery dataSource="#form.datasource#">
CREATE SCHEMA [#form.schema#] AUTHORIZATION [dbo]
</cfquery>
And this throws and error:
<cfquery dataSource="#form.datasource#">
CREATE SCHEMA <cfqueryparam CFSQLType="cf_sql_varchar" value="#form.schema#"> AUTHORIZATION [dbo]
</cfquery>
And stored procedures are not an option. They are not an option because the stored procedure should be a part of the schema, which doesn't yet exist.
It's only "not safe" if you don't verify it's safe before using it. I imagine you'd be fine if you simply validate that form.schema value to be a sequence of safe characters and nothing else? That's a simple regex: ^\w+$ (allows for A-Z, 0-9, and underscore).
And you can't use a <cfqueryparam> as those are for parameter values, not random bits of the SQL statement. Ref: "What one can and cannot do with <cfqueryparam>"