> > Since CFQUERYPARAM also generally provides a performance > > benefit, why wouldn't you just use that? What do you see > > as the advantage of your data scrubbing? > > It depends on the project. If the variables are scrubbed from the > beginning, some basic error checking can be run that would > act before the query is even run. For example, if you have a > product detail page that is expecting a product ID... > > <cfset url.id = abs(val(trim(url.id)))> > <cfif not url.id)> > <cflocation url="/"> > </cfif> > > Now you've guaranteed that there will be some value to pass > to the query, and If someone tries to get tricky with a SQL > injection attack, they get booted to the home page before the > query is ever run. For most of my projects I use a combination > of input scrubbing and SQL optimization (QUERYPARAM and SPs > where needed). > > As with anything else, what you do depends on how the application > will be used, what kind of traffic you're expecting, and how much > time and money the client wants to throw at it.
I guess I don't see the time spent to write a CFQUERYPARAM tag as a significant addition of expense. Also, if you pass an invalid data value to a CFQUERYPARAM tag, CF will prevent the query from running. So, you could easily do the same sort of thing just using CFQUERYPARAM and an exception handler, which will provide the extra benefit of better performance. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:222746 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
