> I was working on something the other day and he was looking > at it with me and I was writing in some cfqueryparam tags and > he made the comment "I've never gotten with that ... the > whole cfqueryparam thing... they say they're supposed to be > so much faster and all that, but I've never seen proof". So I > said "I can prove it -- it's not difficult" and his response > was "whatever, I don't care". > > So... based on that my assumption is that his biggest > complaint is that the syntax requires so much typing (I must > admit, shorter syntax would be nice... like a > QueryParam(value,type,null,maxlength|precision) function for > instance), and that he's not convined there's a real gain > from using them, which I find odd... he seems bright enough > that I'm sure he's aware of the sql-injection issue in > addition to performance. I'm not certain, but I think he > underrates the idea of sql-injection as well as just being > something we'll never need to deal with... Not that I would > be likely to launch a campaign to fix all the queries that > don't have them immediately, but if I were the lead developer > I would certainly be encouraging people to add them where > they see them missing.
Funny you should mention this. I wish I had a dollar for each time I've reviewed an application, found that it didn't use either CFQUERYPARAM or stored procedures, listed that as a serious security problem in the audit, and the client proceeded to ignore it until they got a black-box security audit from an outside firm. Oh wait, I do! Never mind! Of course, by then it's usually too late to avoid a bit of embarrassment at the very least. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205104 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
