Regarding performance... On high traffic sites with a good SQL server cfqueryparam can result in 10 to sometimes as much as 40 percent performance increase - especially if your SQL server is finely tuned and has good indexing and schema practices.
In addition, I don't find the queries less readable. In fact, the extra attribute information tells me more about the schema without having to look up the tables. The use of snippets means it takes no time at all to use them. In short, I can find no legitimate reason to NOT use cfqueryparam. Your arguments below lead to code that is simply unnecessarily inconsistent. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Claude Schneegans [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2008 8:38 PM To: CF-Talk Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... >>Bottom line: ***always*** use cfqueryparam. Period. There are no acceptable "exceptions to the rule". Even with something like UPDATE myTable SET myDate = <cfqueryparam value = "#now()#" CFSQLType = "CF_SQL_TIMESTAMP">? OR this: UPDATE myTable SET myValue = <cfqueryparam value = "#someOtherQuery.someOtherValue#" CFSQLType = "CF_SQL_INTEGER ">? Just ridiculous. OK, it "improves performance", if you care about micro seconds, but there is no security aspect here. The increase of performance can make a significant difference only for very big queries or very repetitive code. As the docs says: "Bind variable usage enhances performance when executing a cfquery statement multiple times." Otherwise, the advantage is only for security purpose,... and there is a risk only for variables set by a visitor. If the content is set by your CF program itself, where is the risk? It is like putting a lock on an empty box. Personally, I care mode about code readability than useless security. -- _______________________________________ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309428 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
