Highlighted

cfqueryparam questions

Jul 27, 2012

Copy to clipboard

Copied

1. Are parameterized queries needed in a query where no user entered data is used, like looking up something in a code table or looking up a record by ids assigned by a program ?

2. A program I've become responsible for uses cfinput and cfupdate. Do they take care of parameterizing automatically ?

Views

1.0K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

cfqueryparam questions

Jul 27, 2012

Copy to clipboard

Copied

1. Are parameterized queries needed in a query where no user entered data is used, like looking up something in a code table or looking up a record by ids assigned by a program ?

2. A program I've become responsible for uses cfinput and cfupdate. Do they take care of parameterizing automatically ?

Views

1.0K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Jul 27, 2012

Copy to clipboard

Copied

1. If the query is hardcoded, no; if the query uses dynamic data, I would suggest using CFQUERYPARAM, anyway.. why risk it?

2. I, personally, despise CFUPDATE.  I don't think it's safe.  Plus a standard query/SP gives much more granular control.

Just my $0.02 worth.

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 27, 2012

Copy to clipboard

Copied

If it's a dynamic as opposed to a static value, it should be passed as a parameter.

I detail the whys & wherefors in this article, which might be useful to you: http://adamcameroncoldfusion.blogspot.co.uk/2012/07/what-one-can-and-cannot-do-with.html

Thinking about it, even with a static value I might consider parameterising it: it's a VALUE, not part of the SQL statement.  I think people most often hard-code these too, though, because they don't change, so will not impact the query compilation process.

As for <cfinsert> and <cfupdate>.  They certainly didn't USED to be parameterised.  I think they are now, since CF9 though.  I'm pretty sure if you have DB debugging displaying, the generated SQL from these tags is output, so you could check...

--

Adam

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 27, 2012

Copy to clipboard

Copied

Thank you for the link to the blog, Adam.  Nice article!  Was not aware of how the process works.  (I love CF, but never really learned the inner workings.)

^_^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 29, 2012

Copy to clipboard

Copied

Just to follow up on the <cfinsert> and <cfupdate> thing, I've done some investigation there too: http://bit.ly/MN0XYS.

The important bit is that these two tags do indeed use parameters for their values these days (and since at least CF8.0.1), so that's something.

--

Adam

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Resources
ColdFusion User Guide
CFML Reference Guide
Develop CFML Applications
Add a group