I just received an e-mail from someone asking me to help him convince his coworkers to never use and . Well, he asked the wrong person for help. I have long been a fan of those tags, I encourage their use when appropriate, and would welcome additional related tags. Here is the reply I sent him:
Sorry, I can’t help you fight this one because I am siding with your coworkers. Lots of ColdFusion developers (particularly the very experienced long time CFers) have an almost violent reaction to the very mention of and . I am not one of them. In fact, I even use these tags myself on occasion, there, I said it.
and are designed to do one thing and one thing only, they are designed to make creating and updating database table rows using form field values absolutely brain-dead simple. That’s it.
If you need to do all sorts of processing to the data before the database call then you can’t use and . If you are using CFCs as a database abstraction layer then you can’t (and wouldn’t want to) use and . If you have relational tables and need better control over what rows are inserted where and access to generated primary keys then you may not be able to use and . And that’s fine. If you need any of those things then don’t use and .
And what’s more, and actually help avoid common pitfalls and problems. Do variables need single quotes around them or not? Not an issue. Dates need to be handled specially? Nope. The dangers of a malformed WHERE clause (too many beginners have mistakenly typed WHERE id=id or WHERE #id#=#id# when they meant WHERE id=#id#) are diminished. SQL injection risks? Not an issue. These are real benefits not to be discounted.
and are not suitable for all applications. And many ColdFusion developers start off using and and then later learn the benefits of using . That’s how most of us learned ColdFusion – starting simply and adding language elements and functionality as needed and warranted.
The bottom line is that there is nothing inherently wrong with and . These tags have limitations, true, and so when you run into those limitations stop using the tags. ColdFusion is all about productivity. And if and make you productive, then use them.
UPDATE: Since this post was made, newer SQL injection attacks have come to light, some of which could indeed get past and . As such, my recommendation has changed, site security now demands the use of and instead of and .