Re: CFQUERYPARAM in CFC?

2005-02-16 Thread Tyler Fitch
ge- > From: Tyler Fitch [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 15, 2005 1:31 PM > To: CF-Talk > Subject: Re: CFQUERYPARAM in CFC? > > Holy crap. That's an amazing thing to say. CFARGUMENT doesn't filter > SQL Injection attacks. > > I can'

RE: CFQUERYPARAM in CFC?

2005-02-16 Thread Calvin Ward
What?!?!? Don't feed the trolls! :P - Calvin -Original Message- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 16, 2005 6:29 AM To: CF-Talk Subject: RE: CFQUERYPARAM in CFC? I suspect Mike was trolling in his own forum... ;-) -Original Message-

RE: CFQUERYPARAM in CFC?

2005-02-16 Thread James Holmes
I suspect Mike was trolling in his own forum... ;-) -Original Message- From: Calvin Ward [mailto:[EMAIL PROTECTED] Sent: Wednesday, 16 February 2005 7:26 To: CF-Talk Subject: RE: CFQUERYPARAM in CFC? I'm thinking that's over the top. The only crazy question is the one th

RE: CFQUERYPARAM in CFC?

2005-02-16 Thread Calvin Ward
I'm thinking that's over the top. The only crazy question is the one that's never asked. - Calvin -Original Message- From: Tyler Fitch [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 1:31 PM To: CF-Talk Subject: Re: CFQUERYPARAM in CFC? Holy crap. That

Re: CFQUERYPARAM in CFC?

2005-02-15 Thread Michael Dinowitz
Thank you all for bringing out the arguments for the use of CFQUERYPARAM for everyone to read. I expect that this will motivate many here to start using the tag, now that they see it's use. One thing not mentioned is that the tag can not be used along with cached queries using CachedWithin and

Re: CFQUERYPARAM in CFC?

2005-02-15 Thread Joe Rinehart
Hey Mike, For security, CFQueryparam interacts with the database driver, telling it that the value provided is only a value and not SQL code - without it, a string arg could still contain injection code For performance, "bind" queries can be cached by some RDBMS platforms providing a performance

RE: CFQUERYPARAM in CFC?

2005-02-15 Thread RADEMAKERS Tanguy
cute time drops for subsequent iterations of query 2? btw: running oracle 9. /t >-Original Message- >From: Nathan Strutz [mailto:[EMAIL PROTECTED] >Sent: Tuesday, February 15, 2005 7:50 PM >To: CF-Talk >Subject: Re: CFQUERYPARAM in CFC? > >You typically won't see any

Re: CFQUERYPARAM in CFC?

2005-02-15 Thread Nathan Strutz
You typically won't see any cfqueryparam performance gains on low-usage queries and servers. In these cases, the reason for using them is typically security, standardization and best practices. Under heavy loads, cfqueryparam (sql bind variables actually) can help your database cache queries, h

RE: CFQUERYPARAM in CFC?

2005-02-15 Thread RADEMAKERS Tanguy
If your backend database supports it, then CFQUERYPARAM implements bind variables for your query. Consider: "select * from emp where id = #variable#" if you execute this for employee 1, 2, 3, etc, then: - without bind variables, the db will reparse the statement each and every time, because the

RE: CFQUERYPARAM in CFC?

2005-02-15 Thread Dave Watts
> Personally, I see no reason for a CFQUERYPARAM being used > inside a CFC. It adds extra overhead and the protection that > it provides should be provided instead by the CFARGUMENT tag. > Does anyone see a reason for it in such a case? Data binding? How exactly would you provide the requisite

RE: CFQUERYPARAM in CFC?

2005-02-15 Thread Michael T. Tangorre
> From: Michael Dinowitz [mailto:[EMAIL PROTECTED] > Personally, I see no reason for a CFQUERYPARAM being used > inside a CFC. It adds extra overhead and the protection that > it provides should be provided instead by the CFARGUMENT tag. > Does anyone see a reason for it in such a case? Data bi

RE: CFQUERYPARAM in CFC?

2005-02-15 Thread Ben Rogers
> Personally, I see no reason for a CFQUERYPARAM being used inside a CFC. It > adds extra overhead and the protection that it provides should be provided > instead by the CFARGUMENT tag. Does anyone see a reason for it in such a > case? Data binding? Besides the fact that security should be perfor

Re: CFQUERYPARAM in CFC?

2005-02-15 Thread Tyler Fitch
Holy crap. That's an amazing thing to say. CFARGUMENT doesn't filter SQL Injection attacks. I can't see a single reason for such a case. That's crazy talk. t On Tue, 15 Feb 2005 13:26:10 -0400, Michael Dinowitz <[EMAIL PROTECTED]> wrote: > Personally, I see no reason for a CFQUERYPARAM being

RE: CFQUERYPARAM in CFC?

2005-02-15 Thread Matthew Small
Couldn't you still pass SQL injection strings into a string parameter of a CFC? - Matt Small -Original Message- From: Michael Dinowitz [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 12:26 PM To: CF-Talk Subject: CFQUERYPARAM in CFC? Personally, I see no reason for a CFQUERYP

RE: CFQUERYPARAM in CFC?

2005-02-15 Thread Bryan F. Hogan
Without writing your own validation functions for the argument types it is still needed. Would you want to write a function type for every datatype for all the DBs? -Original Message- From: Michael Dinowitz [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 15, 2005 12:26 PM To: CF-Talk Su