this is true and I do ;-) In Oracle it's even faster than that Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. t. 250.920.8830 e. [EMAIL PROTECTED]
--------------------------------------------------------- Macromedia Associate Partner www.macromedia.com --------------------------------------------------------- Vancouver Island ColdFusion Users Group Founder & Director www.cfug-vancouverisland.com ----- Original Message ----- From: "Mark A. Kruger - CFG" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, September 03, 2002 1:40 PM Subject: RE: Why use cfqueryparam on data inputs? WAS: cfqueryparam and scrubbing form inputs > Bryan, > > An addition to that addition, using cfqueryparam with MS SQL allows MSSQL to > match a query to a cached execution plan - also greatly increasing spead > (4-6X in some cases). > > -mk > > -----Original Message----- > From: Bryan Stevenson [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 03, 2002 3:32 PM > To: CF-Talk > Subject: Re: Why use cfqueryparam on data inputs? WAS: cfqueryparam and > scrubbing form inputs > > > I'm coming in here without reading the thread, but don't forget that > CFQUERYPARAM is not just for SQL injection attacks etc. but also handles > bind variables. Bind variables in conjunction with Oracle will greatly > increase speed. > > Bryan Stevenson B.Comm. > VP & Director of E-Commerce Development > Electric Edge Systems Group Inc. > t. 250.920.8830 > e. [EMAIL PROTECTED] > > --------------------------------------------------------- > Macromedia Associate Partner > www.macromedia.com > --------------------------------------------------------- > Vancouver Island ColdFusion Users Group > Founder & Director > www.cfug-vancouverisland.com > ----- Original Message ----- > From: "Jochem van Dieten" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Tuesday, September 03, 2002 1:22 PM > Subject: Re: Why use cfqueryparam on data inputs? WAS: cfqueryparam and > scrubbing form inputs > > > > Matt Robertson wrote: > > > Dave, > > > > > > The results seen in the previous thread bring up a question: why use > > > cfqueryparam at all on form inputs that are not used in a WHERE clause, > > > especially when a good input scrubber is already in use? > > > > > > I can already see one answer: cfsqltype=cf_sql_numeric will throw an > > > error if a sql injection is attempted. So use cfqueryparam on those. > > > But what about cfsqltype=cf_sql_varchar? I can see a clear need for it > > > in a WHERE clause, but with inputs? When a scrubber is already in use? > > > What does it do in that specific case? > > > > Your scrubber is unicode aware. > > Is your wire protocol unicode aware? > > Is any translation performed for the wire protocol? > > Is that translation protected from generating dangerous characters? > > Do you even know the dangerous characters for all databases? > > > > If you like the answer to all of these questions, go for the scrubber. I > > go for cfqueryparam. > > > > Jochem > > > > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
