> > - CFQUERYPARAM makes all values look like "parameter 1"... in the error > messages, instead of the real values, not really handful when debugging; > - CFQUERYPARAM makes all queries more difficult to write AND to read for > programmers; >
Are you implying that cfqueryparam _shouldn't_ be used for these reasons?? - Gabriel On Mon, May 2, 2011 at 8:49 AM, <> wrote: > > Right. > However about CFQUERYPARAM, keep in mind that: > - this will prevent SQL injection, not all form of attacks; > - CFQUERYPARAM makes all values look like "parameter 1"... in the error > messages, instead of the real values, not really handful when debugging; > - CFQUERYPARAM makes all queries more difficult to write AND to read for > programmers; > - disabling multiple statement execution in the database will prevent from > SQL injection as well. > - ending a query on an error because of CFQUERYPARAM will prevent the > injection, but will not give you any hint that it was really an attack. > > Personally I prefer checking crucial form and url parameters and eventually > ban the intruder before submiting the query. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm