> What are the benefits of using it? My applications seem to work fine with > out it.
CFQUERYPARAM does a couple of things. Firstly, it uses (if it can - see below) a mechanism called "binding" to associate variables (instead of fixed strings) with portions of a SQL statement. This allows more efficient management of the compilation and execution of SQL statements. To throw in a little education first...... WARNING!!!: techo non-CF stuff When you want to execute a SQL statement, the first thing that happens when you send your statement to the SQL box is that it compiles your request and returns what is known as a "handle" to that particular statement. Then, you need to tell the SQL box to execute the statement associated with that handle. This may seem like a roundabout way of doing it. However, there are extra steps you can perform between the compilation and the execution. This is where you set up binding. What does binding do then ? Well - you attach (bind) variables to the handle that is returned by the SQL box (after the compilation step). This allows you to just change values in those variables and execute the handle again without having to re-compile your statement each time. So there is a performance improvement after the initial compilation/execution of the statement. NOTE: not all SQL (or database) systems support this mechanism. SO.... the next thing that CFQUERYPARAM does is that it shields you from having to know: A) how to do binding, and B) if the particular database box supports binding. If the box does not support binding then CFQUERYPARAM just reverts to generating the correct code inline for you. And, finally, using CFQUERYPARAM allows you to more rigorously check your datatypes AND (when binding is available) it helps avoid "SQL injection" attacks on your system where someone can enter real SQL code into a field on some form that may be able to hi-jack your actual SQL statement and/or CF code and cause nasties to happen in your database and or other portions of your website. This is because the compiled SQL code is ONLY what you have created. The "data" that comes in through the bind (CFQUERYPARAM) variables is NOT part of the compilation (or your stream of CF code) but is part of the execution and hence cannot be used to create hacks into your CF code. My suggestion....... "Use CFQUERYPARAM as much as possible unless you have a good reason not to." Hopes this helps and brings some sanity for the reasons behind CFQUERYPARAM. Gary Menzel Web Development Manager IT Operations Brisbane -+- ABN AMRO Morgans Limited Level 29, 123 Eagle Street BRISBANE QLD 4000 PH: 07 333 44 828 FX: 07 3834 0828 **************************************************************************** If this communication is not intended for you and you are not an authorised recipient of this email you are prohibited by law from dealing with or relying on the email or any file attachments. This prohibition includes reading, printing, copying, re-transmitting, disseminating, storing or in any other way dealing or acting in reliance on the information. If you have received this email in error, we request you contact ABN AMRO Morgans Limited immediately by returning the email to [EMAIL PROTECTED] and destroy the original. We will refund any reasonable costs associated with notifying ABN AMRO Morgans. This email is confidential and may contain privileged client information. ABN AMRO Morgans has taken reasonable steps to ensure the accuracy and integrity of all its communications, including electronic communications, but accepts no liability for materials transmitted. Materials may also be transmitted without the knowledge of ABN AMRO Morgans. ABN AMRO Morgans Limited its directors and employees do not accept liability for the results of any actions taken or not on the basis of the information in this report. ABN AMRO Morgans Limited and its associates hold or may hold securities in the companies/trusts mentioned herein. Any recommendation is made on the basis of our research of the investment and may not suit the specific requirements of clients. Assessments of suitability to an individual's portfolio can only be made after an examination of the particular client's investments, financial circumstances and requirements. **************************************************************************** --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MX Downunder AsiaPac DevCon - http://mxdu.com/
