I just received an e-mail from someone asking me to help him convince his coworkers to never use <CFINSERT> and <CFUPDATE>. Well, he asked the wrong person for help. I have long been a fan of those tags, I encourage their use when appropriate, and would welcome additional related tags. Here is the reply I sent him:
Sorry, I can't help you fight this one because I am siding with your coworkers. Lots of ColdFusion developers (particularly the very experienced long time CFers) have an almost violent reaction to the very mention of <CFINSERT> and <CFUPDATE>. I am not one of them. In fact, I even use these tags myself on occasion, there, I said it.
<CFINSERT> and <CFUPDATE> are designed to do one thing and one thing only, they are designed to make creating and updating database table rows using form field values absolutely brain-dead simple. That's it.
If you need to do all sorts of processing to the data before the database call then you can't use <CFINSERT> and <CFUPDATE>. If you are using CFCs as a database abstraction layer then you can't (and wouldn't want to) use <CFINSERT> and <CFUPDATE>. If you have relational tables and need better control over what rows are inserted where and access to generated primary keys then you may not be able to use <CFINSERT> and <CFUPDATE>. And that's fine. If you need any of those things then don't use <CFINSERT> and <CFUPDATE>.
But there are lots of very simple ColdFusion applications out there. Some are created by absolute beginners who are having to learn CFML, HTML, some JavaScript, and some SQL all at once - and they can (and should) use whatever shortcuts they can use to get the job done. There are also quick and dirty apps thrown together by all sorts of developers, and if <CFINSERT> and <CFUPDATE> can make life simpler, then why not!?
Here are some facts to keep in mind. Fact: Most ColdFusion developers have never used a CFC (even those using CFMX or CFMX7). Fact: Most ColdFusion developers struggle with SQL statements. Fact: Most ColdFusion developers have no idea what a methodology or framework is. Fact: Most ColdFusion developers rely on <CFINPUT> to generate JavaScript form field validation. Fact: Most ColdFusion developers use less than 10 CFML tags on a regular basis. Fact: ColdFusion makes lots of entry-to-mid-level developers productive and successful. ... The fact of the matter is that the very technical crowd that congregates on blogs and discussion lists is not a fair representation of most ColdFusion developers.
And what's more, <CFINSERT> and <CFUPDATE> actually help avoid common pitfalls and problems. Do variables need single quotes around them or not? Not an issue. Dates need to be handled specially? Nope. The dangers of a malformed WHERE clause (too many beginners have mistakenly typed WHERE id=id or WHERE #id#=#id# when they meant WHERE id=#id#) are diminished. SQL injection risks? Not an issue. These are real benefits not to be discounted.
<CFINSERT> and <CFUPDATE> are not suitable for all applications. And many ColdFusion developers start off using <CFINSERT> and <CFUPDATE> and then later learn the benefits of using <CFQUERY>. That's how most of us learned ColdFusion - starting simply and adding language elements and functionality as needed and warranted.
The bottom line is that there is nothing inherently wrong with <CFINSERT> and <CFUPDATE>. These tags have limitations, true, and so when you run into those limitations stop using the tags. ColdFusion is all about productivity. And if <CFINSERT> and <CFUPDATE> make you productive, then use them.
UPDATE: Since this post was made, newer SQL injection attacks have come to light, some of which could indeed get past <CFINSERT> and <CFUPDATE>. As such, my recommendation has changed, site security now demands the use of <CFQUERY> and <CFSTOREDPROC> instead of <CFINSERT> and <CFUPDATE>.
ALSO, does CF9 have this same issue with this CF insert/update vulnerability? If so, then WHY?
Thanks!