Oh and btw one of the biggest coldfusion/blue dragon websites also demonstrates the race conditon problem, using persisant variables that aren't locked.
So your point Dave? On 4/15/07, Andrew Scott <[EMAIL PROTECTED]> wrote: > > Dave, > > Thats what I mean, best practice says use cfqueryparam, and every document > you read regardless of cfmx 5.0, 6.0, 7.0 says when writing to a variable > you will have a race condition. > > Now I can't name the version I tested this on, but I followed one of the > articles directions on how a race condition will work. And you know what, it > proves that even this version of Coldfusion needs cflock around perstant > variable writes. > > So I went back a version, and tried v7.02 on the same test, same thing the > results indicate a cflock is needed. > > So your point is? > > > > On 4/15/07, Dave Watts <[EMAIL PROTECTED]> wrote: > > > > > You made a valid point, but let me switch to cfquery for a > > > min. It has become best practice to use cfqueryparam to stop > > > sql injection, but there is times when you don't need it either. > > > > > > And as discussed on another mailing list about this issue, I > > > made the point that if the query is inside a cfunction where > > > the conditions where either inside the function or passed > > > through as arguments, then a cfqueryparam is certainly not > > > needed. But people still do it because it is best practice. > > > > This is a poor analogy, because it's very easy to determine whether you > > need > > to use CFQUERYPARAM: if you use data that originated from the browser in > > your query, directly or indirectly, you need to prevent SQL injection > > attacks. Otherwise, you don't. It doesn't matter whether your CFQUERY is > > > > within a function; if it is, and it uses arguments that originated with > > browser-supplied data, then you are vulnerable to the same SQL injection > > attacks. Of course, since CFQUERYPARAM can also provide performance > > benefits, you might want to use it elsewhere as well. In general, > > prepared > > statements perform better. > > > > Locking, on the other hand, degrades performance. Unnecessary locking > > degrades performance unnecessarily. > > > > > *"Locking shared scope variables within ColdFusion templates > > > is an often overlooked process that has severe consequences > > > when best practices are not followed. This document will > > > explain why the process of locking shared scope variables is > > > important and the corresponding best practices. > > > > > > Developers should be advised that these practices should not > > > be considered optional under any circumstances. Most cases of > > > ColdFusion site instability can be traced back to inproper > > > use or complete lack of locking. ... > > > > You realize that this quote is not applicable to CFMX, right? Omitting > > locks > > hasn't caused instability since CF 5. There have been significant > > changes to > > how locking works between CF 5 and CFMX, and consequently, to how you > > should > > implement locking within your applications. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > > > Fig Leaf Software provides the highest caliber vendor-authorized > > instruction at our training centers in Washington DC, Atlanta, > > Chicago, Baltimore, Northern Virginia, or on-site at your location. > > Visit http://training.figleaf.com/ for more information! > > > > This email has been processed by SmoothZap - www.smoothwall.net > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275243 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
