this tag will prevent someone from injecting malicious code into your
queries. Consider this example:
<cfparam name="url.userid">
<cfquery>
select id, username from people where userid = #url.userid#
</cfquery>
If someone calls this page with the url
"sample.cfm?userid=1+go+delete+*+from+people" there is a chance that the
people table will get nuked. cfqueryparam prevents this from happening.
Mark
-----Original Message-----
From: Jochem van Dieten [mailto:[EMAIL PROTECTED]
Sent: Monday, December 08, 2003 6:54 PM
To: CF-Talk
Subject: Re: The Value of CFQUERYPARAM
[EMAIL PROTECTED] wrote:
>
> I asked this question and quite a discussion broke out between the DB
> heavyweights (Jochem and Adam I think)
Thank you :-)
> I've tried my best to find it in the archives but I can't for some
> reason.....
http://www.houseoffusion.com/cf_lists/index.cfm?method=messages
<http://www.houseoffusion.com/cf_lists/index.cfm?method=messages&threadid=24
110&forumid=4#121513> &threadid=24110&forumid=4#121513
I hope I am doing Adam's position justice when I summarise the
debate as follows:
- with cfqueryparam, changes in the value of a parameter will not
lead to a recompilation (overhead) of the query execution plan in
the DBMS
- this is genarally a good thing, because it means a query like
select * from table where id = X gets only compiled once,
regardless of the value of X
- therefore, if you use cfqueryparam for constants as well, the
query will still be only compiled once (Adam)
- but if you don't use cfqueryparam, you can force a
recompilation of the query execution plan if you want so (Jochem)
I am still not sure we actually disagree :-)
Jochem
--
When you don't want to be surprised by the revolution
organize one yourself
- Loesje
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
