问题
I have done many inserts/updates and question that always was on the top of my mind is where I should trim the values that I'm inserting or updating. In this case I use ColdFusion as my server-side programming language and SQL Microsoft is my database language. So if I'm doing insert, should I trim the values in ColdFusion or SQL? Do I have to do in both? What is more efficient? I was wondering if this can improve efficiency if I follow some recommended steps. Here is example that I have in one of my Insert codes:
<cfset userphone = trim(user_phonenum)>
<cfset userdob = trim(user_dob)>
INSERT INTO UserTest
( mm_phone,
mm_dob
)
VALUES
(
'#trim(userphone)#',
CASE WHEN LTRIM(RTRIM('#userdob#')) = '' THEN NULL ELSE LTRIM(RTRIM('#userdob#')) END
)
In the code above I have used ColdFusion trim where I set both values userphone and userdob. Should I do the trim there or down below in SQL Insert statement? What is better and more efficient? If anyone can help please let me know. Thank you.
回答1:
You can automatically trim all form fields by using onRequestStart() inside of your Application.cfc file. This code runs at the top of every HTTP POST.
<cffunction name="onRequestStart" returnType="boolean">
<cfargument type="String" name="targetPage" required=true/>
<cfif CGI.REQUEST_METHOD IS "POST">
<cfloop collection= "#form#" item="local.field">
<cfset form[local.field] = trim(form[local.field])>
</cfloop>
</cfif>
<cfreturn true>
</cffunction>If you're using ColdFusion 11 or later, you can also scrub the form data using the native AntiSamy function getSafeHTML(). This removes malicious XSS attack code.
<cfset form[local.field] = trim(getSafeHTML(form[local.field]))>
More info here: http://blogs.coldfusion.com/post.cfm/security-enhancements-in-coldfusion-splendor-pbkdf2-and-antisamy
Then, if your query is just done via the CF code, then you should
- Scope your variables to the
formscope. - Use
cfqueryparamto protect against SQL Injection attacks.
INSERT INTO UserTest (
mm_phone
, mm_dob
)
VALUES (
<cfqueryparam value="#form.userphone#" cfsqltype="cf_sql_varchar" />
<cfif len(form.userdob) EQ 0>
, <cfqueryparam cfsqltype="cf_sql_date" null="true" />
<cfelse>
, <cfqueryparam value="#form.userdob#" cfsqltype="cf_sql_date" />
</cfif>
)回答2:
Try to handle the trim on server side on ColdFusion. The data needs to be validated before it gets inserted to the database.
You would say, I have client side validation but a user can easily bypass those via several plugins etc. I would handle the trim at ColdFusion level.
One more thing as a tip, I personally always like to handle validation or setting variables or any conditional logic etc before actual insert. The insert should just insert values of the variables, all the preprocessing , validation should happen before you are in cfquery tag if thats possible.
HTH.
回答3:
Even when you use "#trim(someVar)#" within <cfquery>, you are still trimming in ColdFusion. So let me rephrase your question to:
"Should I trim values with ColdFusion before passing them to the Database Management System or should I pass the values untrimmed and let the database do the trimming?".
The best answer is: trim the values with ColdFusion before passing them to the database. This complies with at least 3 GRASP patterns (GRASP = General Responsibility Assignment Software Patterns):
Information Expert: ColdFusion is the expert who knows what the variable is, where it comes from and what its value should be. As such ColdFusion should do the trimming.
Low Coupling: Different database brands generally have different functions for trimming. Implementing any such function in
cfquerywould imply that ColdFusion knows too much about a particular database brand. This intimacy would increase coupling.Protected Variation: Suppose, in the SQL in
cfquery, you implement the trimming function of one particular database brand. Then your code will break when you switch the database to a brand for which the trim function is defined differently.
来源:https://stackoverflow.com/questions/41754426/should-i-trim-values-in-sql-or-coldfusion