I just received an e-mail from someone asking me to help him convince his coworkers to never use and . Well, he asked the wrong person for help. I have long been a fan of those tags, I encourage their use when appropriate, and would welcome additional related tags. Here is the reply I sent him:
Sorry, I can’t help you fight this one because I am siding with your coworkers. Lots of ColdFusion developers (particularly the very experienced long time CFers) have an almost violent reaction to the very mention of and . I am not one of them. In fact, I even use these tags myself on occasion, there, I said it.
and are designed to do one thing and one thing only, they are designed to make creating and updating database table rows using form field values absolutely brain-dead simple. That’s it.
If you need to do all sorts of processing to the data before the database call then you can’t use and . If you are using CFCs as a database abstraction layer then you can’t (and wouldn’t want to) use and . If you have relational tables and need better control over what rows are inserted where and access to generated primary keys then you may not be able to use and . And that’s fine. If you need any of those things then don’t use and .
But there are lots of very simple ColdFusion applications out there. Some are created by absolute beginners who are having to learn CFML, HTML, some JavaScript, and some SQL all at once – and they can (and should) use whatever shortcuts they can use to get the job done. There are also quick and dirty apps thrown together by all sorts of developers, and if and can make life simpler, then why not!?
Here are some facts to keep in mind. Fact: Most ColdFusion developers have never used a CFC (even those using CFMX or CFMX7). Fact: Most ColdFusion developers struggle with SQL statements. Fact: Most ColdFusion developers have no idea what a methodology or framework is. Fact: Most ColdFusion developers rely on to generate JavaScript form field validation. Fact: Most ColdFusion developers use less than 10 CFML tags on a regular basis. Fact: ColdFusion makes lots of entry-to-mid-level developers productive and successful. … The fact of the matter is that the very technical crowd that congregates on blogs and discussion lists is not a fair representation of most ColdFusion developers.
And what’s more, and actually help avoid common pitfalls and problems. Do variables need single quotes around them or not? Not an issue. Dates need to be handled specially? Nope. The dangers of a malformed WHERE clause (too many beginners have mistakenly typed WHERE id=id or WHERE #id#=#id# when they meant WHERE id=#id#) are diminished. SQL injection risks? Not an issue. These are real benefits not to be discounted.
and are not suitable for all applications. And many ColdFusion developers start off using and and then later learn the benefits of using . That’s how most of us learned ColdFusion – starting simply and adding language elements and functionality as needed and warranted.
The bottom line is that there is nothing inherently wrong with and . These tags have limitations, true, and so when you run into those limitations stop using the tags. ColdFusion is all about productivity. And if and make you productive, then use them.
UPDATE: Since this post was made, newer SQL injection attacks have come to light, some of which could indeed get past and . As such, my recommendation has changed, site security now demands the use of and instead of and .
Leave a Reply