>You could, but that's irrelevant; whether you know how something works has nothing to do with how it works. What CFQUERYPARAM does is create bound parameters. All of those other features are the side-effects.
That seems like a lame argument to me. If you want to stick to defining cfqueryparam that way then I might as well request a new tag, cfqueryparmthatdoesntusebinding, that does everything that I want it to do without doing parameter binding. Then we could both have our way but somehow that doesn't feel like the spirit of what a high-level language like CF should be. I completely conceed that it would be difficult to guarantee perfect security the way that a bound parameter would. My essential point is that it would be better for everyone if all code could be written with cfqueryparam and the benefits of query binding could be enjoyed in every case except those few times where it gets in the way, even if that meant not having 100% perfect security during those few moments when it was disabled. That does not seem like an unreasonable point of view to me. Thanks Mark ________________________________ From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Wed 8/8/2007 6:35 PM To: CF-Talk Subject: RE: cfquery: quotes vs queryparam > You could look at cfqueryparam as providing lots of features > (security, type and length checking, handling of lists, etc) > without ever knowing that the implementation was done via > parameter binding. You could, but that's irrelevant; whether you know how something works has nothing to do with how it works. What CFQUERYPARAM does is create bound parameters. All of those other features are the side-effects. > You would think that for all the seriousness of the security > hacks everyone is talking about that CF would want to make it > a complete no-brainer that we should all use cfqueryparam. The security benefit of CFQUERYPARAM is that bound parameters don't allow execution of commands. By using bound parameters, you are preventing the execution of any commands embedded in your data values. If CFQUERYPARAM did something other than create bound parameters, it would not be able to guarantee prevention of SQL injection attacks. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finder&productID=1522&loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285778 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
