- CFQUERYPARAM makes all queries more difficult to write AND to read for programmers;
I couldn't disagree more with this statement. Aside from the protection benefits, the use of cfqueryparam creates bound sql parameters, which improve query performance. I don't disagree with your suggestion to check form and url parameters. In fact I encourage it heavily, and hope that folks will remember the 'type' attribute of the cfparam tag. That said, use of cfqueryparam is a must, IMO, and the more you use it the more it becomes second nature. Yes, your error messages may need some help, but a combination of usage and proper error handling (too often ignored) can go a long way towards saving your bacon. Steve 'Cutter' Blades Adobe Community Professional Adobe Certified Expert Advanced Macromedia ColdFusion MX 7 Developer ____________ http://blog.cutterscrossing.com Co-Author "Learning Ext JS 3.2" Packt Publishing 2010 https://www.packtpub.com/learning-ext-js-3-2-for-building-dynamic-desktop-style-user-interfaces/book "The best way to predict the future is to help create it" On 5/2/2011 7:49 AM, =?ISO-8859-1?Q?Claude_Schn=E9egans wrote: > Right. > However about CFQUERYPARAM, keep in mind that: > - this will prevent SQL injection, not all form of attacks; > - CFQUERYPARAM makes all values look like "parameter 1"... in the error > messages, instead of the real values, not really handful when debugging; > - CFQUERYPARAM makes all queries more difficult to write AND to read for > programmers; > - disabling multiple statement execution in the database will prevent from > SQL injection as well. > - ending a query on an error because of CFQUERYPARAM will prevent the > injection, but will not give you any hint that it was really an attack. > > Personally I prefer checking crucial form and url parameters and eventually > ban the intruder before submiting the query. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344122 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm