> You made a valid point, but let me switch to cfquery for a > min. It has become best practice to use cfqueryparam to stop > sql injection, but there is times when you don't need it either. > > And as discussed on another mailing list about this issue, I > made the point that if the query is inside a cfunction where > the conditions where either inside the function or passed > through as arguments, then a cfqueryparam is certainly not > needed. But people still do it because it is best practice.
This is a poor analogy, because it's very easy to determine whether you need to use CFQUERYPARAM: if you use data that originated from the browser in your query, directly or indirectly, you need to prevent SQL injection attacks. Otherwise, you don't. It doesn't matter whether your CFQUERY is within a function; if it is, and it uses arguments that originated with browser-supplied data, then you are vulnerable to the same SQL injection attacks. Of course, since CFQUERYPARAM can also provide performance benefits, you might want to use it elsewhere as well. In general, prepared statements perform better. Locking, on the other hand, degrades performance. Unnecessary locking degrades performance unnecessarily. > *"Locking shared scope variables within ColdFusion templates > is an often overlooked process that has severe consequences > when best practices are not followed. This document will > explain why the process of locking shared scope variables is > important and the corresponding best practices. > > Developers should be advised that these practices should not > be considered optional under any circumstances. Most cases of > ColdFusion site instability can be traced back to inproper > use or complete lack of locking. ... You realize that this quote is not applicable to CFMX, right? Omitting locks hasn't caused instability since CF 5. There have been significant changes to how locking works between CF 5 and CFMX, and consequently, to how you should implement locking within your applications. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275240 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
