> -----Original Message----- > From: Tom Chiverton [mailto:[EMAIL PROTECTED] > Sent: Friday, February 22, 2008 8:37 AM > To: CF-Talk > Subject: Re: CFC protect from SQL Injection? > > On Friday 22 Feb 2008, Russ wrote: > > CFqueryparam is not always beneficial. Lets say you are doing a batch > > insert with 1000 records. The cfqueryparam method is going to be a LOT > > slower. > > It shouldn't be. >
It is, I've tested it. There is a lot of overhead in passing that many parameters. > > Additionally, everyone keeps talking about how you should use > cfqueryparam > > to avoid sql injection, but nobody has shown me an example of sql > injection > > without cfqueryparam. I think I can get the same results from val. > > But you don't get the cached execution plan benefits then. This is true. Most of the time, it will perform slightly better. My point, though, is that it's not necessary 100% of the time, and you should know how to construct a query without it that doesn't have sql injection vulnerabilities. This is why I want to start the conversation and get some real world examples of what not to do. Unfortunately, nobody has been able to provide any so far... Russ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299681 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
