Thanks, Dan. We know about SQL injection attacks, and that's why we have things like this:
#int(URL.userID)# If the value isn't an integer, then int() returns 0, and the query will not throw an exception. Preventing injection attacks isn't enough of an incentive to use cfqueryparam--at least for us--since we generally have less-verbose means of preventing them. Thanks again, Ben > Ben, > Please take a look at the following post by Ben Forta. This should > clear up > some "why" issues for you. > > http://www.forta.com/blog/index. cfm/2005/12/> 21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored > > Dan Vega > http://www.danvega.org/blog/ > > > On 8/10/07, Ben Mueller <[EMAIL PROTECTED]> wrote: > > > > Mike, > > > > Thanks for the response. But the question is this: what benefits > will I > > get from saying this: > > > > <cfqueryparam cfsqltype="cf_sql_integer" value="#val(url.userid)#"> > > > > over just this: > > > > #val(url.userid)# > > > > Am I going to see a significant performance increase? For the sake > of > > argument, pretend that sample query I included in my first post is > heavily > > hit. I'm running SQL Server 2000 (soon to upgrade to 2005). > > > > > > > > > > > > > > > > >As many others have said, there is never a reason NOT to use > > >cfqueryparam. > > > > > >You can still use your trick and cfqueryparam doesn't have to > bomb: > > > > > ><cfqueryparam cfsqltype="cf_sql_integer" value="#val(url. > userid)#"> > > > > > >M!ke > > > > > >I'm trying to determine if cfqueryparam is really worth using. > > > > > >For data validation, we tend to do something like this: > > > > > >SELECT username > > >FROM user > > >where userID = #int(URL.userID)# > > > > > >the nice thing about this is that if "URL.userID" isn't an integer, > > > >int() returns 0, and the query executes and simply returns no > records. > > >For us, this is a far preferable method than what cfqueryparam > would do, > > >which is to bomb before executing the query. > > > > > >Then today I discovered that cfqueryparam supports bind variables, > which > > >theoretically will improve database performance. So now the > question > > >is: how much does it improve performance? Am I really going to > notice > > >it? Should I really switch my queries over to something like > this: > > > > > >SELECT username > > >FROM user > > >where userID = <cfqueryparam CFSQLType="CF_SQL_INTEGER" > > >value=#int(URL.user_id)#> > > > > > >Any advice is appreciated. > > > > > >Thanks, > > >Ben > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285973 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
