Always sanitize your data entry. http://xkcd.com/327/
Performance is a moot point when you have to sanitize/rebuild your entire database cuz you got hacked. Besides shouldn't you be abstracting you database layer and using cfqueryparam in your CFC's as a matter of habit? Not dissing anyone. Just curious. With all the ORM's and code generators out there, why are you not using cfqueryparam? Seriously, CFC Generator saved my ass with this hack attack. Thanx Brian! ~G~ On Mon, Jul 21, 2008 at 10:04 PM, Mark Kruger <[EMAIL PROTECTED]> wrote: > Regarding performance... On high traffic sites with a good SQL server > cfqueryparam can result in 10 to sometimes as much as 40 percent > performance > increase - especially if your SQL server is finely tuned and has good > indexing and schema practices. > > In addition, I don't find the queries less readable. In fact, the extra > attribute information tells me more about the schema without having to look > up the tables. The use of snippets means it takes no time at all to use > them. In short, I can find no legitimate reason to NOT use cfqueryparam. > Your arguments below lead to code that is simply unnecessarily > inconsistent. > > -mark > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -----Original Message----- > From: Claude Schneegans [mailto:[EMAIL PROTECTED] > Sent: Monday, July 21, 2008 8:38 PM > To: CF-Talk > Subject: Re: (ot) URL Hack Attempt Leaves Me Scractching My Head... > > >>Bottom line: ***always*** use cfqueryparam. Period. There are no > acceptable "exceptions to the rule". > > > Even with something like > UPDATE myTable SET myDate = <cfqueryparam value = "#now()#" CFSQLType = > "CF_SQL_TIMESTAMP">? > OR this: > UPDATE myTable SET myValue = <cfqueryparam value = > "#someOtherQuery.someOtherValue#" CFSQLType = "CF_SQL_INTEGER ">? > > Just ridiculous. > > OK, it "improves performance", if you care about micro seconds, but there > is > no security aspect here. > The increase of performance can make a significant difference only for very > big queries or very repetitive code. > As the docs says: "Bind variable usage enhances performance when executing > a > cfquery statement multiple times." > Otherwise, the advantage is only for security purpose,... and there is a > risk only for variables set by a visitor. > If the content is set by your CF program itself, where is the risk? It is > like putting a lock on an empty box. > Personally, I care mode about code readability than useless security. > > -- > _______________________________________ > REUSE CODE! Use custom tags; > See http://www.contentbox.com/claude/customtags/tagstore.cfm > (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309429 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
