Gaulin, Mark wrote: > Hi Dave > You could look at cfqueryparam as providing lots of features (security, > type and length checking, handling of lists, etc) without ever knowing > that the implementation was done via parameter binding. Because all of > those features could be implemented without parameter binding (do the > checking in CF and produce "raw" SQL), I would argue that the binding > part is an implementation detail, and one that could be disabled without > affecting much of usefulness of cfqueryparam (for security and type > checking, etc).
I challenge you to produce a design (not even an implementation) of a function or tag that produces the same security as bind parameters do. > Why would I want to disable binding? That depends on the situation, but > SQL profiling (even on/especially on a production system) is really, > really useful. Sure, binding may be slightly faster in some cases (and > maybe lots faster in others, but I wouldn't be too sure about that), but > I would bet that most slow DB queries are due to query/table/index > design or the effects of query load, not on the time it takes to compile > the query (which is where binding is helpful). In those situations I > would prefer to see the "real" SQL, and not the cryptic execution of a > precompiled statement. So get a database with proper logging and profiling tools. > Another angle has to do with the way bad SQL is reported in a CF error: > With binding you see the query but not the values inserted into the > query. Without binding the error reports exactly what was executed. It reports exactly what was send to the database in that statement. It still doesn't report what was executed nor in what context it was executed. > You would think that for all the seriousness of the security hacks > everyone is talking about that CF would want to make it a complete > no-brainer that we should all use cfqueryparam. You may not agree on > the value of the things I don't want to go without, but I hope you can > see that they are at least potentially real to someone, somewhere, > sometime. Being able to flip a switch to "revert" to non-bound > parameters would make that possible, so why treat it like a dumb idea? Because an 'off switch' is fundamentally incompatible with the security features. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:285790 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
