>>- CFQUERYPARAM makes all values look like "parameter 1"... in the error messages, instead of the real values, not really handful when debugging;
There are parsers that will show the actual queries with values. My favorite is the one that Ben Nadel wrote. It is a little JS bookmark widget. >>- CFQUERYPARAM makes all queries more difficult to write AND to read for programmers; Opinion. Depends on the person. I have not problem with using them. Besides the bulk of the SQL code for most of my CRUD's are machine generated. G! On Mon, May 2, 2011 at 8:49 AM, <> wrote: > > Right. > However about CFQUERYPARAM, keep in mind that: > - this will prevent SQL injection, not all form of attacks; > - CFQUERYPARAM makes all values look like "parameter 1"... in the error > messages, instead of the real values, not really handful when debugging; > - CFQUERYPARAM makes all queries more difficult to write AND to read for > programmers; > - disabling multiple statement execution in the database will prevent from > SQL injection as well. > - ending a query on an error because of CFQUERYPARAM will prevent the > injection, but will not give you any hint that it was really an attack. > > Personally I prefer checking crucial form and url parameters and eventually > ban the intruder before submiting the query. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:344123 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm