> > if you're using SQL server 7 you should _always_ use Val() in
> > CFQUERY tags when expecting an integer because if your CFQUERY says:
> >
> > SELECT foo
> > FROM bar
> > WHERE id=#url.id#
> >
> > and someone changes the URL from:
> > www.mysite.com/qwe.cfm?id=1
> > to
> > www.mysite.com/qwe.cfm?id=1;delete%20from%20bar
> > then what gets thrown to the dB is:
> >
> > SELECT foo
> > FROM bar
> > WHERE id=1;delete from bar
> >
> > and sql server 7 treats this as 2 valid sql statements and
> > runs it....
> >
> > You should write:
> >
> > SELECT foo
> > FROM bar
> > WHERE id=#Val(url.id)#
>
> Actually, you should CFQueryParam
>
> SELECT foo
> FROM bar
> WHERE id=<CFQueryParam value="#URL.ID#" CFSQLType="CF_SQL_INTEGER">
I don't know that I'd make that a blanket recommendation. If you use
CFQUERYPARAM to make a prepared statement, you can't use
CACHEDWITHIN/CACHEDAFTER with your CFQUERY tags. You'll want to determine
which is more appropriate in a given case.
In any case, you'll get better performance using stored procedures with SQL
Server than you will with CFQUERYPARAM; Oracle, on the other hand, gets more
out of prepared statements and less out of SPs than SQL Server does.
Lots of choices to make.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
