> > If you don't really care > > I don't really care measuring the difference it makes, > because it must certainly be marginal, and it is not because > I don't care the difference it can made that I cannot make a > comment about it.
If you want to be a contrarian for the sake of being a contrarian, go right ahead. However, you speculated that there might be overhead in creating an execution plan, when one is created whether you use CFQUERYPARAM or not! Then, immediately after that, you wrote that you don't care one way or the other. If you don't care one way or the other, why would that speculation be a deciding factor about whether to use CFQUERYPARAM? It seems to me that your sole justification for not using it, or using it selectively, or whatever, is that it's too much trouble to type it out. And if that's true, that's fine with me, because I don't really care about your applications specifically. It may well be the case that under specific conditions, there is a cost to using CFQUERYPARAM. For example, there may be some queries that benefit from having new execution plans generated each time they're run, instead of using a cached execution plan. But you have failed to identify any of those specific edge cases. You're not recommending that people attempt to identify these edge cases, either. And, in the absence of evidence about a specific case, the safe assumption is that building a prepared statement will not only provide complete protection against SQL injection, but will also improve performance. In ANY case, building a prepared statement that uses CFQUERYPARAM to wrap every piece of user-supplied data will provide complete protection against SQL injection, by its very nature - it tells the database the difference between executable code and data. Instead, you're throwing up a smokescreen of crap about why people shouldn't use it, or why they should be more selective in using it. You're willing to rely on all sorts of other things to provide what you see as equivalent to the protection you get from prepared statements - making sure your MySQL database is configured a certain non-default way, filtering out "bad words" from incoming HTTP requests, etc - but it would be easier and more reliable to just build the prepared statements in the first place! Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309657 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
