ColdFusion/MySQL security vulnerability

It is widely known that ColdFusion protects developers from string based SQL injection attacks. This is because the ColdFusion server automatically escapes single quoutes (single quotes are a common SQL injection component). However, if you are using MySQL with ColdFusion, you may want check your MySQL version and configuration. First of all, remember that using cfqueryparam will protect you from SQL injection, even from this vulnerability I am talking about.


SQL Server 2005 benchmarking

I've been curious for a while how Microsoft's latest database offering stacks up against the competition. So I did some searching today, and unfortunately couldn't find any good results. The problem is that most DB people don't understand how to do good benchmarking. Most people point to the Transaction Processing Council's database of benchmarks, but these are not valid benchmarks. Why? Because they don't standardize the hardware. Their goal is to show how fast you can run a database, without taking into account cost and personal bias. The results in their database are often from servers that cost millions of dollars. This would be fine if every test was from the same million dollar hardware, but it's not. So there are way too many competing factors.

Good benchmarks test competing systems on the same exact hardware, in the same exact lab environment, with the same exact tests for all systems. That way the only variable is the system you are testing. TCP's tests have a large array of variables, so there's no way to know why one system performs better than the other. So I'm going to have to keep my eyes peeled for a true benchmark. I did see one that compared SQL Server 2000 to Oracle, DB2, and MySQL, and it was a true benchmark (MSSQL paled in comparison). But I have yet to see one for MSSQL 2005.

MySQL usage on the rise in ColdFusion community

OK, that post title is a bit misleading, because I don't have any concrete evidence of this. But I have seen a lot of MySQL discussions on CF-Talk lately. Here are some examples: Thread 1 Thread 2 Thread 3 Thread 4.

It seems that a lot of CF developers will use Microsoft Access for low end and/or low budget projects. Personally, I think this is crazy (Access can't handle concurrency). However, it seems that at least some of said developers are looking at MySQL as a better alternative.