Skip to main content
goxmedia
goxmedia
Participant
August 14, 2011
Question

CFQUERY Datatypes and Quotes

  • August 14, 2011
  • 2 replies
  • 842 views

Hello,

In CFQUERY operations, can someone advise as to the following:

1. What data types REQUIRE single quotes for UPDATE and INSERT statements?

  * We are using MS SQL 2008 R2 with CF9

2. Is it best practice to use CFQUERYPARAM for EVERY statement now days?

I searched everywhere but can't seem to find any type of reference sheet anywhere that I can use when building my statemnts.

Thanks in advance.

G.

    This topic has been closed for replies.

    2 replies

    D
    Dan_Bracuk
    Inspiring
    August 15, 2011

    Using cfqueryparam is a good idea unless there is a reason not to.  With CF9/MS SQL those reasons will be few and far between.

    goxmedia
    goxmediaAuthor
    Participant
    August 15, 2011

    ... thanks Dan.

    J
    JMF3
    Participating Frequently
    August 14, 2011

    Use CFQUERYPARAM and you don't have to worry about it ...

    Basically, only numbers don't use the string delimiter. Date/times

    depend on how you want to format them ... again, use CFQUERYPARAM and

    never worry about it again.

    -
    -__cfSearching__-
    Inspiring
    August 15, 2011

    We are using MS SQL 2008 R2 with CF9

    >> Use CFQUERYPARAM and you don't have to worry about it ...

    More importantly you should be using cfqueryparam anyway to protect your queries against sql injection.

    http://www.petefreitag.com/item/677.cfm

    http://www.coldfusionmuse.com/index.cfm/2008/2/22/sql-injection-on-a-character-field

    http://www.12robots.com/index.cfm/2008/7/30/SQL-Injection-is-only-the-beginning-ltcfqueryparamgt-is-the-easy-part

    goxmedia
    goxmediaAuthor
    Participant
    August 15, 2011

    ... thanks cfSarching.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices