Hi Dave
You could look at cfqueryparam as providing lots of features (security,
type and length checking, handling of lists, etc) without ever knowing
that the implementation was done via parameter binding. Because all of
those features could be implemented without parameter binding (do the
checking in CF and produce "raw" SQL), I would argue that the binding
part is an implementation detail, and one that could be disabled without
affecting much of usefulness of cfqueryparam (for security and type
checking, etc).
Why would I want to disable binding? That depends on the situation, but
SQL profiling (even on/especially on a production system) is really,
really useful. Sure, binding may be slightly faster in some cases (and
maybe lots faster in others, but I wouldn't be too sure about that), but
I would bet that most slow DB queries are due to query/table/index
design or the effects of query load, not on the time it takes to compile
the query (which is where binding is helpful). In those situations I
would prefer to see the "real" SQL, and not the cryptic execution of a
precompiled statement.
Another angle has to do with the way bad SQL is reported in a CF error:
With binding you see the query but not the values inserted into the
query. Without binding the error reports exactly what was executed. I
have every CF error on my web site emailed to me and sometimes these
little details are the only way to track down and fix subtle bugs so
they never happen again.
You would think that for all the seriousness of the security hacks
everyone is talking about that CF would want to make it a complete
no-brainer that we should all use cfqueryparam. You may not agree on
the value of the things I don't want to go without, but I hope you can
see that they are at least potentially real to someone, somewhere,
sometime. Being able to flip a switch to "revert" to non-bound
parameters would make that possible, so why treat it like a dumb idea?
Thanks
Mark
-----Original Message-----
From: Dave Watts [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 08, 2007 5:16 PM
To: CF-Talk
Subject: RE: cfquery: quotes vs queryparam
> I wish CF could allow the use of the cfqueryparam tag without all of
> the other side-effects (using binding, disabling
> caching) so that we really could say *always* use it...
Binding is not a side-effect, it is exactly what CFQUERYPARAM does.
CFQUERYPARAM creates bound parameters.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta, Chicago,
Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
This email has been processed by SmoothZap - www.smoothwall.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Download the latest ColdFusion 8 utilities including Report Builder,
plug-ins for Eclipse and Dreamweaver updates.
http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285769
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
