Ok, makes sense. We use a CFC here that I built a long time ago that builds insert/update queries based upon the database's meta data. It puts in the cfqueryparams and does data validation prior to that. While the cfqueryparams were put in for those very reasons, the seen benefit by anyone using it is the fact they no longer have to write those queries. They just pass in typically the form structure, an action flag and the table name then it does the rest. I could see them still liking an SP that did it then the wrapper for the SP would need all the appropriate checks on the data coming in to hopefully avoid the possibility of a SQL injection attack. On Thu, Oct 30, 2008 at 2:57 PM, Adrian Lynch <[EMAIL PROTECTED]>wrote:
> EXEC()ing a string won't produde the same execution plan as the base SQL > (<---<< a guess) and you lose cfqueryparam and cfprocparam's biggest > benefit, protecting against injection. > > Adrian > > -----Original Message----- > From: Aaron Rouse > Sent: 30 October 2008 19:52 > To: cf-talk > Subject: Re: cfqueryparam vs cfstoredproc? > > > I do you feel it would defeat the point? > > On Thu, Oct 30, 2008 at 2:19 PM, Adrian Lynch > <[EMAIL PROTECTED]>wrote: > > > Exactly, which kinda defeats the point I feel. > > > > I've got a few ways that I might try but for now I'm back to writing SPs. > > > > If anyone's interested, I have the full DAO code here: > > > > http://adrianlynch.co.uk/post.cfm?postID=21 > > > > Adrian > > Building a database of ColdFusion errors at http://cferror.org/ > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > Sent: 30 October 2008 18:28 > > To: cf-talk > > Subject: RE: cfqueryparam vs cfstoredproc? > > > > > > exec() > > or sp_executesql > > > > You would need to pass in the arguments as a list to the procedure and > > then do the looping and building of a dynamic query with SQL. Then > > execute what you have created. > > > > Good luck. Dynamic SQL isn't nearly as easy in SQL than CF. Also, you > > will have to take additional steps to paramaterize it. (requires > > sp_executesql) > > > > FYI: My advice assumes MS SQL. > > > > ~Brad > > > > -------- Original Message -------- > > Subject: RE: cfqueryparam vs cfstoredproc? > > From: "Adrian Lynch" <[EMAIL PROTECTED]> > > Date: Thu, October 30, 2008 1:06 pm > > To: cf-talk <[email protected]> > > > > An open question then... > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314633 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
