> You could look at cfqueryparam as providing lots of features > (security, type and length checking, handling of lists, etc) > without ever knowing that the implementation was done via > parameter binding.
You could, but that's irrelevant; whether you know how something works has nothing to do with how it works. What CFQUERYPARAM does is create bound parameters. All of those other features are the side-effects. > You would think that for all the seriousness of the security > hacks everyone is talking about that CF would want to make it > a complete no-brainer that we should all use cfqueryparam. The security benefit of CFQUERYPARAM is that bound parameters don't allow execution of commands. By using bound parameters, you are preventing the execution of any commands embedded in your data values. If CFQUERYPARAM did something other than create bound parameters, it would not be able to guarantee prevention of SQL injection attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285771 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
