Ben, Please take a look at the following post by Ben Forta. This should clear up some "why" issues for you.
http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored Dan Vega http://www.danvega.org/blog/ On 8/10/07, Ben Mueller <[EMAIL PROTECTED]> wrote: > > Mike, > > Thanks for the response. But the question is this: what benefits will I > get from saying this: > > <cfqueryparam cfsqltype="cf_sql_integer" value="#val(url.userid)#"> > > over just this: > > #val(url.userid)# > > Am I going to see a significant performance increase? For the sake of > argument, pretend that sample query I included in my first post is heavily > hit. I'm running SQL Server 2000 (soon to upgrade to 2005). > > > > > > > > >As many others have said, there is never a reason NOT to use > >cfqueryparam. > > > >You can still use your trick and cfqueryparam doesn't have to bomb: > > > ><cfqueryparam cfsqltype="cf_sql_integer" value="#val(url.userid)#"> > > > >M!ke > > > >I'm trying to determine if cfqueryparam is really worth using. > > > >For data validation, we tend to do something like this: > > > >SELECT username > >FROM user > >where userID = #int(URL.userID)# > > > >the nice thing about this is that if "URL.userID" isn't an integer, > >int() returns 0, and the query executes and simply returns no records. > >For us, this is a far preferable method than what cfqueryparam would do, > >which is to bomb before executing the query. > > > >Then today I discovered that cfqueryparam supports bind variables, which > >theoretically will improve database performance. So now the question > >is: how much does it improve performance? Am I really going to notice > >it? Should I really switch my queries over to something like this: > > > >SELECT username > >FROM user > >where userID = <cfqueryparam CFSQLType="CF_SQL_INTEGER" > >value=#int(URL.user_id)#> > > > >Any advice is appreciated. > > > >Thanks, > >Ben > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285969 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
