I always thought of <cfqueryparam> as primarily a security tag to help avoid SQL injection. Honestly, I now think that's really a secondary purpose. It's all about performance!
We have a table with email addresses for some 80,000 alumni here at Duke. When I do an email search without using cfqueryparam against our DB2 mainframe, it takes about 2500ms to return... if I do another lookup, it takes another 2500ms. However, if I use a bind variable, the first takes 2500ms, and then the second only takes about 500ms. I saw similar performance increases against Oracle, althoug the table is faster in oracle because it's indexed better, and it's inside our firewall... took about 150ms. I have also noticed that SQL Server seems to do some kind of automatic bind variable creation, because I saw no real performance advantage in SQL Server... with or without bind variables, the second query took 0ms. Bottom line... always use CFQUERYPARAM, even if you're using other methods to prevent SQL Injection! - Rick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:195286 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
