between these three versions of selecting a recordset from a db.
version 1
-----------------------------
<cfquery name="getuser" datasource="#request.dsn#">
select first_name
from users
where user_id='#url.user_id#'
</cfquery>
version 2
-----------------------------
<cfquery name="getuser" datasource="#request.dsn#">
select first_name
from users
where user_id=<cfqueryparam value="#url.user_id#"
cfsqltype="CF_SQL_VARCHAR">
</cfquery>
version 3
-----------------------------
<cfstoredproc procedure="getuser" datasource="#request.dsn#">
<cfprocparam cfsqltype="CF_SQL_VARCHAR" value="#url.user_id#" type="In">
<cfprocresult name="getuser">
</cfstoredproc>
Using this SQL2000 procedure:
-----------------------------
CREATE PROCEDURE getuser
@user_id varchar(50)
as
select first_name
from users
where [EMAIL PROTECTED]
I did a loop over them 5000 times each, ran the loop 3 times each and
averaged the results
version 1: averaged 0.5098ms
version 2: averaged 0.5744ms
version 3: averaged 0.6814ms
So as performance goes, the simple cfquery version is ~20% faster than the
stored procedure. But I want to hear about the security flaws, not
performance. I've even used a url scoped variable in my example. So it's
easily hackable. Assuming these are all run on the same machine, let's say
we cancel out attacks like gaining access to an open port on a windows
server. Unless you think that makes a big difference. What makes one more
secure than the other?
Also, if these aren't the way to go, what's a better solution?
Steve Nelson
-----Original Message-----
From: Matt Liotta [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 23, 2004 8:48 PM
To: CF-Talk
Subject: Re: why are procedures better? (was: RE: Securing CF Apps.)
> I am sure there are more reasons, but I think those are sufficient to
> use
> procedures.
>
If that's all, I guess I'll continue to use cfquery.
-Matt
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
