2006 Use <CFINSERT> And <CFUPDATE>
I just received an e-mail from someone asking me to help him convince his coworkers to never use <CFINSERT> and <CFUPDATE>. Well, he asked the wrong person for help. I have long been a fan of those tags, I encourage their use when appropriate, and would welcome additional related tags. Here is the reply I sent him:
Sorry, I can't help you fight this one because I am siding with your coworkers. Lots of ColdFusion developers (particularly the very experienced long time CFers) have an almost violent reaction to the very mention of <CFINSERT> and <CFUPDATE>. I am not one of them. In fact, I even use these tags myself on occasion, there, I said it.
<CFINSERT> and <CFUPDATE> are designed to do one thing and one thing only, they are designed to make creating and updating database table rows using form field values absolutely brain-dead simple. That's it.
If you need to do all sorts of processing to the data before the database call then you can't use <CFINSERT> and <CFUPDATE>. If you are using CFCs as a database abstraction layer then you can't (and wouldn't want to) use <CFINSERT> and <CFUPDATE>. If you have relational tables and need better control over what rows are inserted where and access to generated primary keys then you may not be able to use <CFINSERT> and <CFUPDATE>. And that's fine. If you need any of those things then don't use <CFINSERT> and <CFUPDATE>.
And what's more, <CFINSERT> and <CFUPDATE> actually help avoid common pitfalls and problems. Do variables need single quotes around them or not? Not an issue. Dates need to be handled specially? Nope. The dangers of a malformed WHERE clause (too many beginners have mistakenly typed WHERE id=id or WHERE #id#=#id# when they meant WHERE id=#id#) are diminished. SQL injection risks? Not an issue. These are real benefits not to be discounted.
<CFINSERT> and <CFUPDATE> are not suitable for all applications. And many ColdFusion developers start off using <CFINSERT> and <CFUPDATE> and then later learn the benefits of using <CFQUERY>. That's how most of us learned ColdFusion - starting simply and adding language elements and functionality as needed and warranted.
The bottom line is that there is nothing inherently wrong with <CFINSERT> and <CFUPDATE>. These tags have limitations, true, and so when you run into those limitations stop using the tags. ColdFusion is all about productivity. And if <CFINSERT> and <CFUPDATE> make you productive, then use them.
UPDATE: Since this post was made, newer SQL injection attacks have come to light, some of which could indeed get past <CFINSERT> and <CFUPDATE>. As such, my recommendation has changed, site security now demands the use of <CFQUERY> and <CFSTOREDPROC> instead of <CFINSERT> and <CFUPDATE>.
2006 Ryan Stewart On Apollo
Ryan Stewart sat down with Kevin Lynch to discuss Apollo, and has written up the details in a ZDNet story.
You'll be hearing a lot more about Apollo at MAX later this month.
2006 XPAAJ Libraries Now Include ColdFusion Examples