And to further emphasize that -- I would encourage the use of stored procedures whenever possible. I've been using Oracle stored procdures with CF for years with great success. You all the benefits of the CFQUERYPARAM and you let the database do what it does best -- process data.
Warren Koch ----- Original Message ----- From: "Dave Watts" <[EMAIL PROTECTED]> To: "CF-Talk" <[email protected]> Sent: Monday, January 21, 2008 12:09 PM Subject: RE: writing insert query sql in coldfusion >> > out of interest what is the difference in using the >> > cfqueryparam and not? >> >> Well, the biggest reason is that it provides significant >> protection against SQL injection attacks. It basically does >> in-line data validation. > > Ben (and everyone else who's posted) is right that you should use this. > It's > worth pointing out, though, that Ben has listed two different things > above, > and those things are separate. CFQUERYPARAM separates data values from > executable SQL code, and that's how it prevents SQL injection attacks. > This > isn't "significant protection", it's complete protection. By separating > data > values from executable code, you are clearly telling the database that > data > values cannot be executed, so it doesn't matter whether they contain SQL > commands - they simply won't be executed. > > Almost as a side effect, you get data validation before you send your data > to the database. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:296985 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
