Skip to main content
A
Anonymous
July 27, 2012
Question

cfqueryparam questions

  • July 27, 2012
  • 2 replies
  • 1417 views

1. Are parameterized queries needed in a query where no user entered data is used, like looking up something in a code table or looking up a record by ids assigned by a program ?

2. A program I've become responsible for uses cfinput and cfupdate. Do they take care of parameterizing automatically ?

    This topic has been closed for replies.

    2 replies

    A
    Adam Cameron.
    Inspiring
    July 27, 2012

    If it's a dynamic as opposed to a static value, it should be passed as a parameter.

    I detail the whys & wherefors in this article, which might be useful to you: http://adamcameroncoldfusion.blogspot.co.uk/2012/07/what-one-can-and-cannot-do-with.html

    Thinking about it, even with a static value I might consider parameterising it: it's a VALUE, not part of the SQL statement.  I think people most often hard-code these too, though, because they don't change, so will not impact the query compilation process.

    As for <cfinsert> and <cfupdate>.  They certainly didn't USED to be parameterised.  I think they are now, since CF9 though.  I'm pretty sure if you have DB debugging displaying, the generated SQL from these tags is output, so you could check...

    --

    Adam

    WolfShade
    WolfShade
    Legend
    July 27, 2012

    Thank you for the link to the blog, Adam.  Nice article!  Was not aware of how the process works.  (I love CF, but never really learned the inner workings.)

    ^_^

    A
    Adam Cameron.
    Inspiring
    July 29, 2012

    Just to follow up on the <cfinsert> and <cfupdate> thing, I've done some investigation there too: http://bit.ly/MN0XYS.

    The important bit is that these two tags do indeed use parameters for their values these days (and since at least CF8.0.1), so that's something.

    --

    Adam

    WolfShade
    WolfShade
    Legend
    July 27, 2012

    1. If the query is hardcoded, no; if the query uses dynamic data, I would suggest using CFQUERYPARAM, anyway.. why risk it?

    2. I, personally, despise CFUPDATE.  I don't think it's safe.  Plus a standard query/SP gives much more granular control.

    Just my $0.02 worth.

    ^_^

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices