ge-
> From: Tyler Fitch [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 15, 2005 1:31 PM
> To: CF-Talk
> Subject: Re: CFQUERYPARAM in CFC?
>
> Holy crap. That's an amazing thing to say. CFARGUMENT doesn't filter
> SQL Injection attacks.
>
> I can'
What?!?!? Don't feed the trolls! :P
- Calvin
-Original Message-
From: James Holmes [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 16, 2005 6:29 AM
To: CF-Talk
Subject: RE: CFQUERYPARAM in CFC?
I suspect Mike was trolling in his own forum... ;-)
-Original Message-
I suspect Mike was trolling in his own forum... ;-)
-Original Message-
From: Calvin Ward [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 16 February 2005 7:26
To: CF-Talk
Subject: RE: CFQUERYPARAM in CFC?
I'm thinking that's over the top.
The only crazy question is the one th
I'm thinking that's over the top.
The only crazy question is the one that's never asked.
- Calvin
-Original Message-
From: Tyler Fitch [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 15, 2005 1:31 PM
To: CF-Talk
Subject: Re: CFQUERYPARAM in CFC?
Holy crap. That
Thank you all for bringing out the arguments for the use of CFQUERYPARAM for
everyone to read. I expect that this will motivate many here to start using the
tag, now that they see it's use.
One thing not mentioned is that the tag can not be used along with cached
queries using CachedWithin and
Hey Mike,
For security, CFQueryparam interacts with the database driver,
telling it that the value provided is only a value and not SQL code -
without it, a string arg could still contain injection code
For performance, "bind" queries can be cached by some RDBMS platforms
providing a performance
cute time drops for subsequent iterations of query 2?
btw: running oracle 9.
/t
>-Original Message-
>From: Nathan Strutz [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, February 15, 2005 7:50 PM
>To: CF-Talk
>Subject: Re: CFQUERYPARAM in CFC?
>
>You typically won't see any
You typically won't see any cfqueryparam performance gains on low-usage
queries and servers. In these cases, the reason for using them is
typically security, standardization and best practices.
Under heavy loads, cfqueryparam (sql bind variables actually) can help
your database cache queries, h
If your backend database supports it, then CFQUERYPARAM implements bind
variables for your query.
Consider:
"select * from emp where id = #variable#"
if you execute this for employee 1, 2, 3, etc, then:
- without bind variables, the db will reparse the statement each and
every time, because the
> Personally, I see no reason for a CFQUERYPARAM being used
> inside a CFC. It adds extra overhead and the protection that
> it provides should be provided instead by the CFARGUMENT tag.
> Does anyone see a reason for it in such a case? Data binding?
How exactly would you provide the requisite
> From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
> Personally, I see no reason for a CFQUERYPARAM being used
> inside a CFC. It adds extra overhead and the protection that
> it provides should be provided instead by the CFARGUMENT tag.
> Does anyone see a reason for it in such a case? Data bi
> Personally, I see no reason for a CFQUERYPARAM being used inside a CFC. It
> adds extra overhead and the protection that it provides should be provided
> instead by the CFARGUMENT tag. Does anyone see a reason for it in such a
> case? Data binding?
Besides the fact that security should be perfor
Holy crap. That's an amazing thing to say. CFARGUMENT doesn't filter
SQL Injection attacks.
I can't see a single reason for such a case.
That's crazy talk.
t
On Tue, 15 Feb 2005 13:26:10 -0400, Michael Dinowitz
<[EMAIL PROTECTED]> wrote:
> Personally, I see no reason for a CFQUERYPARAM being
Couldn't you still pass SQL injection strings into a string parameter of a
CFC?
- Matt Small
-Original Message-
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 15, 2005 12:26 PM
To: CF-Talk
Subject: CFQUERYPARAM in CFC?
Personally, I see no reason for a CFQUERYP
Without writing your own validation functions for the argument types it is
still needed. Would you want to write a function type for every datatype for
all the DBs?
-Original Message-
From: Michael Dinowitz [mailto:[EMAIL PROTECTED]
Sent: Tuesday, February 15, 2005 12:26 PM
To: CF-Talk
Su
15 matches
Mail list logo