testing...
stored procedures offered nothing but a hassle when we needed to see
what
the query looked like, or wanted to change it. we ran query tests,
against
a database of some 10 million rows, got some records, and timed the
beginning
getTickCount() and the end getTickCount()....
well, there was sooo much of no difference
that we were absolutely perplexed as to why we were told to use them,
because
they were pre-compiled into machine language in sql server and blah blah
blah...
so, to wit...we just now look at it from an ease of use standpoint...
I can honestly say that if you can hack this cfquery block, from a
browser, using
some sort of string something or whatever then, im not sure why im
here..
<cfif isDefined("form.companyId") and isNumeric(form.companyId)>
<cfquery name="get" datasource="myDSN">
select *
from company table
where companyID = <cfqueryparam cfsqltype="CF_INTEGER"
value="form.companyId">
</cfquery>
</cfif>
I validate the type twice, and other than that, how could this be
affected adversely?
regardless...i cant see how you could possibly fathom that a stored proc
is more secure, when you
can provide this kind of validation...other than obscuring the code,
whats the point?
....tony
r e v o l u t i o n w e b d e s i g n
[EMAIL PROTECTED]
www.revolutionwebdesign.com
its only looks good to those who can see bad as well
-anonymous
-----Original Message-----
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 8:48 PM
To: CF-Talk
Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
> 1. They execute faster. The db (I only know from Oracle and SQL
> Server, if
> others are different it doesn't really concern me) can optimize the
> execution plan.
>
Prepared statements execute at the same speed as stored procedures.
> 2. You can often times do more. There are things I can do in a pl/sql
> package/procedure that I cannot do in a query call
>
For example?
> 3. You can limit access with them. Now granted you can set it up so
> you are
> only selecting from a view in your query block as well, but it makes
> more
> sense to me to do it in a procedure.
>
Why does it make more sense?
> 4. An additional layer of security. You can ensure that you user not
> only
> cannot execute the procedure, but they can't even tell it exists.
>
If the user is executing the procedure how could they not know it
exists?
> I am sure there are more reasons, but I think those are sufficient to
> use
> procedures.
>
If that's all, I guess I'll continue to use cfquery.
-Matt
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
