I just received an e-mail from someone asking me to help him convince his coworkers to never use <CFINSERT> and <CFUPDATE>. Well, he asked the wrong person for help. I have long been a fan of those tags, I encourage their use when appropriate, and would welcome additional related tags. Here is the reply I sent him:
Sorry, I can't help you fight this one because I am siding with your coworkers. Lots of ColdFusion developers (particularly the very experienced long time CFers) have an almost violent reaction to the very mention of <CFINSERT> and <CFUPDATE>. I am not one of them. In fact, I even use these tags myself on occasion, there, I said it.
<CFINSERT> and <CFUPDATE> are designed to do one thing and one thing only, they are designed to make creating and updating database table rows using form field values absolutely brain-dead simple. That's it.
If you need to do all sorts of processing to the data before the database call then you can't use <CFINSERT> and <CFUPDATE>. If you are using CFCs as a database abstraction layer then you can't (and wouldn't want to) use <CFINSERT> and <CFUPDATE>. If you have relational tables and need better control over what rows are inserted where and access to generated primary keys then you may not be able to use <CFINSERT> and <CFUPDATE>. And that's fine. If you need any of those things then don't use <CFINSERT> and <CFUPDATE>.
But there are lots of very simple ColdFusion applications out there. Some are created by absolute beginners who are having to learn CFML, HTML, some JavaScript, and some SQL all at once - and they can (and should) use whatever shortcuts they can use to get the job done. There are also quick and dirty apps thrown together by all sorts of developers, and if <CFINSERT> and <CFUPDATE> can make life simpler, then why not!?
Here are some facts to keep in mind. Fact: Most ColdFusion developers have never used a CFC (even those using CFMX or CFMX7). Fact: Most ColdFusion developers struggle with SQL statements. Fact: Most ColdFusion developers have no idea what a methodology or framework is. Fact: Most ColdFusion developers rely on <CFINPUT> to generate JavaScript form field validation. Fact: Most ColdFusion developers use less than 10 CFML tags on a regular basis. Fact: ColdFusion makes lots of entry-to-mid-level developers productive and successful. ... The fact of the matter is that the very technical crowd that congregates on blogs and discussion lists is not a fair representation of most ColdFusion developers.
And what's more, <CFINSERT> and <CFUPDATE> actually help avoid common pitfalls and problems. Do variables need single quotes around them or not? Not an issue. Dates need to be handled specially? Nope. The dangers of a malformed WHERE clause (too many beginners have mistakenly typed WHERE id=id or WHERE #id#=#id# when they meant WHERE id=#id#) are diminished. SQL injection risks? Not an issue. These are real benefits not to be discounted.
<CFINSERT> and <CFUPDATE> are not suitable for all applications. And many ColdFusion developers start off using <CFINSERT> and <CFUPDATE> and then later learn the benefits of using <CFQUERY>. That's how most of us learned ColdFusion - starting simply and adding language elements and functionality as needed and warranted.
The bottom line is that there is nothing inherently wrong with <CFINSERT> and <CFUPDATE>. These tags have limitations, true, and so when you run into those limitations stop using the tags. ColdFusion is all about productivity. And if <CFINSERT> and <CFUPDATE> make you productive, then use them.
UPDATE: Since this post was made, newer SQL injection attacks have come to light, some of which could indeed get past <CFINSERT> and <CFUPDATE>. As such, my recommendation has changed, site security now demands the use of <CFQUERY> and <CFSTOREDPROC> instead of <CFINSERT> and <CFUPDATE>.
Don't criticise these small scale simple apps, businesses love them, they're fast, simple and easy. As long as the app is tidy and reasonably efficient given the effort required to get it running, what's the problem?
I'm sure there's a quote about making things as simple as possible but no simpler.
If you want to take away some of the aversion to cfinsert and update, give us some insight into what they really do behind the screens. For instance tell us if they properly use bind variables in recent versions. Tell us how they discover the primary key of a table.
I'd not advocate removing things like <cfinsert> and <cfupdate> from the language for exactly the reasons Ben cites. However that's not to say they should be encouraged.
I think the reason why there is a demographic of CF developer out there that struggles with such simple SQL as INSERT and UPDATE queries is down to <cfinsert> and <cfupdate>. Adobe (and its evangelists) should not encourage people to stay dumb. They should encourage them to improve.
Having - and encouraging - this demographic is counter-productive for CF, as it perpetuates (and provides statisicaly evidence for) the idea that CF is for gibbons, rather than "serious programmers" (whatever that means). There's no problem being a gibbon to start with (everyone needs to start somewhere), but it's bad to positively affirm the notion that it's OK to *stay* being a gibbon, rather than evolving.
--
Adam
I used to share your thoughts as well. People jump on the CF wagon because it's simple and easy to pickup as a first language. But I came to realize while meeting different CFers that not everyone cares to progress any. They need an application that takes this, puts it there, and returns something else, and that's final. They don't have the need, or desire for that reason, to learn select/insert/update/delete, and that may be why they came to CF.
For some, I think if they wanted to spend the time learning more advanced (although sometimes easier) ways of doing things, they may use more easily accessable solutions, such as PHP. While SQL and CFQUERY seem like simple concepts to us, they're probably not for the guy wanting to update a phone book entry on his Corporate Intranet.
Chris.
Seems to me that if you are going to be an effective devloper you should at least try to have a passing familiarity with the tools that are a requirement of your trade. Regardless if whether you're a CF developer or not, if you're programming for the web, SQL is a must. it doesn't take a rocket scientist to learn to type "insert into table(col1, col2) values (val1, val2)".
I think the value of being good with some flavour of SQL should be stressed a lot more then it is.
When all I need to do is move data from a form to a db, I still use <cfinsert> and <cfupdate>. In more complicated applications I use the <cfquery> tag. Simple as that. The existence of (and my use of) <cfinsert> and <cfupdate> didn't "encourage me to stay dumb". They are useful tags that serve a purpose.
For example, I've got an insertAddress function. Essentially, all it does is validate the arguments and pass them into the database. Rather than being able to use CFINSERT, I'm using the third-party DataMgr component:
<cfset Result.DataMgr = This.DataMgr.insertRecord
(TableName='address', Data=Arguments, OnExists='error')/>
It's a pity I can't just use core functionality to do something similar to:
<cfinsert table="address" data="arguments" onexists="error" result="result.cfinsert"/>
I agree with Ben and the others who are commenting on the utility of the simple tools when they fit the bill, and I don't see that as *necessarily* keeping CF coders dumb. In addition to my usual programming responsibilities, I also have the pleasure of introducing CF to people who are just getting their feet wet in server side scripting. Especially in a university environment, there is a lot of inertia behind PHP and Python; I can't tell you how eyes light up when I show such people that a simple inquiry form (e.g., send-me-more-info) can be handled with just a few lines of code!
These are smart people; inevitably they start to ask, "But what if...?" And then I show them CFQuery and CFQueryparam, CFStoreproc/param, etc. Sure, there's a built-in calculator in every OS I know of....I'd still recommend the $4.95 handheld from WalMart for balancing a checkbook, though.
/ejt
Thanks as always for an incisive post. Since little of my CF work for the past 8 years has been simple, CFINSERT / CFUPDATE have really never been options for me. Your list of CF developer facts scares me, though.
I guess if it is truly true that "Most ColdFusion developers have never used a CFC (even those using CFMX or CFMX7)." that "Most ColdFusion developers struggle with SQL statements." that "Most ColdFusion developers have no idea what a methodology or framework is." that "Most ColdFusion developers rely on <CFINPUT> to generate JavaScript form field validation." and that "Most ColdFusion developers use less than 10 CFML tags on a regular basis.", then maybe I begin to see why it can be so difficult to convince aherents to other languages that CF can be used as robustly as most.
Makes me sad, I guess, when I know the incredible complexity of development available to us with so much ease in CF.
-J-
Geert
Now, let's throw them to the wolves and introduce them to a framework. What is a popular concept about SQL? Let's abstract the hell out of it with an ORM Adapter and not ever write SQL unless I really have to have something custom?
There is a time and place for everything. Ben's facts don't surprise me. I am not saying that we have unintelligent CF'ers, but it takes a certain type of person to want to use different tags, functions and abstractors. These people are not typical nor average and they enjoy being so. These people are also the most celebrated most of the time because of their desire to share their discoveries in ways to make things easier.
Take it easy,
Teddy
Dave Watts, CTO, Fig Leaf Software
We have some software that is versioned and I have one interface to support all versions. to make a long story short, we have a config table that based on the version has different columns. Instead of having to have x number of edit and processing pages, i am able to have one processing page that cfupdates whatever was passed to it and the posting page knows what each version has (as far as columns go).
My point is there are situations where developers like myself (an experienced cf delevelop, including CFCs) can find cases where these tags are helpful.
- "CFINSERT and CFUPDATE did not generate injection-proof SQL"
Hi Ben,
Is there more info on this cfinsert/cfupdate sql-injection protection?
Thanks!,
-Aaron
They hack my site like clockwork every Friday night between 6pm - 11pm and they always insert the same malicious javascript into the same fields of the same 4 tables. Any ideas? Thanks!
--- Ben
ALSO, does CF9 have this same issue with this CF insert/update vulnerability? If so, then WHY?
Thanks!