Dave, Thats what I mean, best practice says use cfqueryparam, and every document you read regardless of cfmx 5.0, 6.0, 7.0 says when writing to a variable you will have a race condition.
Now I can't name the version I tested this on, but I followed one of the articles directions on how a race condition will work. And you know what, it proves that even this version of Coldfusion needs cflock around perstant variable writes. So I went back a version, and tried v7.02 on the same test, same thing the results indicate a cflock is needed. So your point is? On 4/15/07, Dave Watts <[EMAIL PROTECTED]> wrote: > > > You made a valid point, but let me switch to cfquery for a > > min. It has become best practice to use cfqueryparam to stop > > sql injection, but there is times when you don't need it either. > > > > And as discussed on another mailing list about this issue, I > > made the point that if the query is inside a cfunction where > > the conditions where either inside the function or passed > > through as arguments, then a cfqueryparam is certainly not > > needed. But people still do it because it is best practice. > > This is a poor analogy, because it's very easy to determine whether you > need > to use CFQUERYPARAM: if you use data that originated from the browser in > your query, directly or indirectly, you need to prevent SQL injection > attacks. Otherwise, you don't. It doesn't matter whether your CFQUERY is > within a function; if it is, and it uses arguments that originated with > browser-supplied data, then you are vulnerable to the same SQL injection > attacks. Of course, since CFQUERYPARAM can also provide performance > benefits, you might want to use it elsewhere as well. In general, prepared > statements perform better. > > Locking, on the other hand, degrades performance. Unnecessary locking > degrades performance unnecessarily. > > > *"Locking shared scope variables within ColdFusion templates > > is an often overlooked process that has severe consequences > > when best practices are not followed. This document will > > explain why the process of locking shared scope variables is > > important and the corresponding best practices. > > > > Developers should be advised that these practices should not > > be considered optional under any circumstances. Most cases of > > ColdFusion site instability can be traced back to inproper > > use or complete lack of locking. ... > > You realize that this quote is not applicable to CFMX, right? Omitting > locks > hasn't caused instability since CF 5. There have been significant changes > to > how locking works between CF 5 and CFMX, and consequently, to how you > should > implement locking within your applications. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > This email has been processed by SmoothZap - www.smoothwall.net > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion MX7 by AdobeĀ® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion?sdid=RVJV Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275242 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
