> I don't know that I'd make that a blanket recommendation. If you use
> CFQUERYPARAM to make a prepared statement, you can't use
> CACHEDWITHIN/CACHEDAFTER with your CFQUERY tags. You'll want to determine
> which is more appropriate in a given case.
>
> In any case, you'll get better performance using stored
> procedures with SQL
> Server than you will with CFQUERYPARAM; Oracle, on the other
> hand, gets more
> out of prepared statements and less out of SPs than SQL Server does.
True, but using CFQueryParam is a lot more secure than using just Val()
> To carry this one step further, you should always filter all
> input from the
> browser to ensure it contains just the things you want to allow it to
> contain - URL parameters, form fields, and CGI data. Security within web
> application code tends to be weak to nonexistent.
I'd have to agree with this 100% - never trust anything that's coming from
the URL or FORM scopes unless you've verified it...
Philip Arnold
Director
Certified ColdFusion Developer
ASP Multimedia Limited
T: +44 (0)20 8680 1133
"Websites for the real world"
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
