> Since CFQUERYPARAM also generally provides a performance
> benefit, why wouldn't you just use that? What do you see
> as the advantage of your data scrubbing?
It depends on the project. If the variables are scrubbed from the
beginning, some basic error checking can be run that would act before the
query is even run. For example, if you have a product detail page that is
expecting a product ID...
<cfset url.id = abs(val(trim(url.id)))>
<cfif not url.id)>
<cflocation url="/">
</cfif>
Now you've guaranteed that there will be some value to pass to the query,
and If someone tries to get tricky with a SQL injection attack, they get
booted to the home page before the query is ever run. For most of my
projects I use a combination of input scrubbing and SQL optimization
(QUERYPARAM and SPs where needed).
As with anything else, what you do depends on how the application will be
used, what kind of traffic you're expecting, and how much time and money the
client wants to throw at it.
-Justin Scott
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Logware (www.logware.us): a new and convenient web-based time tracking
application. Start tracking and documenting hours spent on a project or with a
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:222740
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
