Dave wrote:
> But what exactly would this tag do, if not create a bound parameter?
It sounds like what you really want is an off switch.
Yes! I want an off switch so when debugging is more important than
security, I can do that without changing any code! (Sort of like the way
assert() works in other languages.... when you debug you get one thing,
when to run you get another.)
[To Jochem]
MS SQL Server is a pretty decent database product, and their profiler
shows exactly what was sent to the database, nothing more, nothing less.
Precompiled statements (used with bound parameters) necessarily make
queries more difficult to read, esp after the fact.
You two are really stuck on your positions and I'm only saying that more
flexibility in the language would make more applications more secure
since every single potential down-side to cfqueryparam would be
addressed in every situation. Sounds like a win-win to me, but if
defending the status-quo is all you want to do, then come and get me,
because I kinda wish things would change.
Thanks
Mark
-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 7:57 PM
To: CF-Talk
Subject: RE: cfquery: quotes vs queryparam
> That seems like a lame argument to me. If you want to stick to
> defining cfqueryparam that way then I might as well request a new tag,
> cfqueryparmthatdoesntusebinding, that does everything that I want it
> to do without doing parameter binding. Then we could both have our way
> but somehow that doesn't feel like the spirit of what a high-level
> language like CF should be.
All of the functionality of CFQUERYPARAM is completely dependent on the
fact that it creates a bound parameter. Type-checking, security,
performance, all of those things come from the database, not from CF.
So, yes, that's how I'll define CFQUERYPARAM - it's a tag that creates a
bound parameter. If you want a tag that does something else, that's all
well and good, but that has nothing to do with what CFQUERYPARAM
actually does.
> I completely conceed that it would be difficult to guarantee perfect
> security the way that a bound parameter would. My essential point is
> that it would be better for everyone if all code could be written with
> cfqueryparam and the benefits of query binding could be enjoyed in
> every case except those few times where it gets in the way, even if
> that meant not having 100% perfect security during those few moments
> when it was disabled. That does not seem like an unreasonable point
> of view to me.
But what exactly would this tag do, if not create a bound parameter? It
sounds like what you really want is an off switch.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta, Chicago,
Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
This email has been processed by SmoothZap - www.smoothwall.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Create robust enterprise, web RIAs.
Upgrade to ColdFusion 8 and integrate with Adobe Flex
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285842
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
