> why not just use cfqueryparam, it validates and it makes your > sql code run faster???
While using CFQUERYPARAM can provide better performance than not using it, certain platforms will benefit more from stored procedures than from prepared statements - SQL Server, for example. On the other hand, I've been told that in many cases Oracle benefits more from prepared statements than from stored procedures, so I guess you have to know what will perform best on your platform. However, from a security perspective, stored procedures provide more than simple data validation. If you use stored procedures exclusively, you can limit access from the application to only those stored procedures, which prevents an attacker from running any query other than those you've written yourself as stored procedures. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
