[cfaussie] Re: @#$!! queryparam

Andrew Scott Thu, 01 Mar 2007 18:52:22 -0800

Scott,

Well although I know what you said, I see no reason to add overhead to my
application to provide a stop measure for SQL injection when I have already
taken care of it before my code ever reaches there in a cffunction. As far
as making sure it is an integer instead of numeric, I couldn't care less
it's not an overhead I will put into my applications.


And to be honest, I would prefer to write SP's and have it on the DB side if
that to be the case.


Andrew Scott
Senior Coldfusion Developer
Aegeon Pty. Ltd.
www.aegeon.com.au
Phone: +613  8676 4223
Mobile: 0404 998 273



-----Original Message-----
From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf
Of Scott Thornton
Sent: Friday, 2 March 2007 12:25 PM
To: cfaussie@googlegroups.com
Subject: [cfaussie] @#$!! queryparam


Andrew,

I disagree.

Although cfqueryparam performs vailidation, it is not the reason you should
be using it.

cfqueryparam makes the database engine use parameter binding on your
queries. For example your query below would look different to the db engine
every time it is run

eg:
  Select * from Employees where EmployeeId = 1
  Select * from Employees where EmployeeId = 2
  Select * from Employees where EmployeeId = 3

so your database engine builds different query execution plans for each of
these queries (in addition to validating the query, checking\casting the
parameter types etc)

etc

But with parameter binding the databse engine is executing something that
looks more like a stored procedure,

  Select * from Employees where EmployeeId = @var1

Here is an example from a SQL profile trace on my server:

declare @P1 int
set @P1=30
exec sp_prepexec @P1 output, N'@P1 decimal(38,0)', N'SELECT
IsNull(COUNT(ITEM.SB_INVOICE_ITEM_ID),0) AS CNT,
                           IsNull(SUM(ITEM.SB_INVOICE_COST),0) AS TOT_COST,
                           IsNull(SUM(CASE WHEN ITEM.SB_ITEM_STATUS_CODE =
''ER'' THEN 1 ELSE 0 END),0) AS ERR_COUNT
                                FROM
                                        SB_INVOICE_ITEM ITEM
                                WHERE
                                        ITEM.SB_INV_BATCH_ID = @P1 ', 1387
select @P1



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"cfaussie" group.
To post to this group, send email to cfaussie@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cfaussie?hl=en
-~----------~----~----~----~------~----~------~--~---

[cfaussie] Re: @#$!! queryparam

Reply via email to