I'm coming in here without reading the thread, but don't forget that CFQUERYPARAM is not just for SQL injection attacks etc. but also handles bind variables. Bind variables in conjunction with Oracle will greatly increase speed.
Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. t. 250.920.8830 e. [EMAIL PROTECTED] --------------------------------------------------------- Macromedia Associate Partner www.macromedia.com --------------------------------------------------------- Vancouver Island ColdFusion Users Group Founder & Director www.cfug-vancouverisland.com ----- Original Message ----- From: "Jochem van Dieten" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 03, 2002 1:22 PM Subject: Re: Why use cfqueryparam on data inputs? WAS: cfqueryparam and scrubbing form inputs > Matt Robertson wrote: > > Dave, > > > > The results seen in the previous thread bring up a question: why use > > cfqueryparam at all on form inputs that are not used in a WHERE clause, > > especially when a good input scrubber is already in use? > > > > I can already see one answer: cfsqltype=cf_sql_numeric will throw an > > error if a sql injection is attempted. So use cfqueryparam on those. > > But what about cfsqltype=cf_sql_varchar? I can see a clear need for it > > in a WHERE clause, but with inputs? When a scrubber is already in use? > > What does it do in that specific case? > > Your scrubber is unicode aware. > Is your wire protocol unicode aware? > Is any translation performed for the wire protocol? > Is that translation protected from generating dangerous characters? > Do you even know the dangerous characters for all databases? > > If you like the answer to all of these questions, go for the scrubber. I > go for cfqueryparam. > > Jochem > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
