Copy link to clipboard
Copied
Hello, everyone.
I'm trying to build a dynamic WHERE clause for a query, based upon a user form submit. Since I can't use CFQUERYPARAM for the whole WHERE clause, is there a way to sanitize the WHERE clause?
I cannot use Stored Procedures, and it's an Oracle database, not my familiar MS-SQL.
Thank you,
^_^
You could use cfqueryparam if you pieced together the WHERE clause INSIDE of your cfquery. That is a much better practice overall.
<cfquery>
SELECT colA,.. colF
FROM table
WHERE 1=1
<cfif structkeyExists(FORM, "colA") AND len(FORM.colA)>
AND colA = <cfqueryparam value="#FORM.colA#" cfsqltype="cf_sql_varchar" />
</cfif>
<cfif structkeyExists(FORM, "colB") AND len(FORM.coldB)>
AND colB = <cfqueryparam value="#FORM.colB#" cfsqltype="cf_sql_varchar" />
</cfif>
<!--- etc, etc --->
ORDER BY colA, colD
</
...Copy link to clipboard
Copied
Why can't you use cfqueryparam for a dynamic WHERE clause? I do it all the time.
Jason