Ok, this isn't directly related to CF, but it's something everybody on
the list should read anyway.
Ben Rogers wrote:
>> Yes. For sure, Netscape 4 was horrid. IE was the bomb at that point.
>> I talked many people off of netscape 4 onto IE because it was better
>> by far. IE sucks now.
>
> I really think this is a gross exaggeration. Thinking back to how
> trying it was to develop cross-browser and cross-platform Web sites
> several years ago, I think that we've come a long way. In my opinion,
> it's largely do to Microsoft's early adoption of various standards
> including CSS-1, XML, XSL, etc. It's been a rocky road and they
> adopted a few technologies a little too soon. Nevertheless, it's
> pretty trivial to design sites that work not just in the most popular
> two browsers, but dozens of browsers with a handful of different
> rendering engines.
Not just that, but straight from the horses (jwz's) pen this morning:
http://www.jwz.org/doc/groupware.html
Now for that Obligatory ColdFusion Bit:
Even if you think CF will protect you from SQL injection attacks without
needing to use <cfqueryparam>, there's one good reason for using it:
lists.
Writing queries against lists of data is painful at best, however
<cfqueryparam> makes it easy. Say you've got a variable called
"FORM.categoryList". This might have come from a multiple <select>
widget, or check boxes, or something else. Imagine that you have to
get all the entries in some table that corresponds to it. Now you
*could* mess about with all kinds of stuff, but isn't this much easier:
<cfquery name="categories" ...>
SELECT categoryId, title, description
FROM categories
WHERE categoryId IN
(<cfqueryparam cfsqltype="CF_SQL_INTEGER" list="Yes"
value="#FORM.categoryList#">)
</cfquery>
And quite readable too. Now imagine if the list was a bunch of strings,
say email addresses. Now that's even more annoying because you have to
loop over all the different elements and output them into the query one
by one. Or, if you're smart, do a quick:
<cfscript>
function PrepareQueryStringList(lst)
{
// Escape all the single quotes. Very important.
var tmp = Replace(lst, "'", "''", "ALL");
// Wrap each element in quotes.
return "'" & Replace(tmp, ",", "','", "ALL") & "'";
}
</cfscript>
<cfquery name="categories" ...>
DELETE FROM subscribers
WHERE email IN (#PreserveSingleQuotes(PrepareQueryStringList(emails))#)
</cfquery>
But isn't that really braindead? This, on the other hand, is much
smarter:
<cfquery name="categories" ...>
DELETE FROM subscribers
WHERE email IN (<cfqueryparam cfsqltype="CF_SQL_VARCHAR" list="Yes"
value="#emails#">)
</cfquery>
Much better.
Now, there's only one real complaint that can be made against the tag,
and that's that it's a 12 characters too long. The annoying redundant
crap lies in the cfsqlparam attribute and all the values it takes. I'm
not sure why exactly it was designed this way, but it would have made
more sente to use something like type="VARCHAR", but what can you do.
K.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Find out how CFTicket can increase your company's customer support
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:195178
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
