> No, it certainly doesn't. If you write the SQL, they can't post > additional form fields that you're not expecting and have them get > into your SQL statement.
If I recall correctly, you can limit the form fields used by CFINSERT/CFUPDATE using the FORMFIELDS attribute. So that's not a big deal as long as those fields are explicitly specified. In general, unless you have control over coding standards in your organization, I suspect you're not going to win this battle. Personally, I don't like them and haven't used them outside of a classroom - and even then, that was many years ago - but I don't think there's a significant difference in performance or security. There may be a bit of a performance hit for CF to identify SQL data types, but I can't imagine that's significant. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:337404 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
