Skip navigation
lwfg
lwfg
Currently Being Moderated

cfqueryparam questions

Jul 27, 2012 5:27 AM

1. Are parameterized queries needed in a query where no user entered data is used, like looking up something in a code table or looking up a record by ids assigned by a program ?

2. A program I've become responsible for uses cfinput and cfupdate. Do they take care of parameterizing automatically ?

534 Views   4 Replies   Latest reply: Adam Cameron., Jul 29, 2012 6:43 AM
 
Replies
  • WolfShade
    Currently Being Moderated
    1. WolfShade,
    Jul 27, 2012 5:45 AM   in reply to lwfg
    Report

    1. If the query is hardcoded, no; if the query uses dynamic data, I would suggest using CFQUERYPARAM, anyway.. why risk it?

     

    2. I, personally, despise CFUPDATE.  I don't think it's safe.  Plus a standard query/SP gives much more granular control.

     

    Just my $0.02 worth.

     

    ^_^

     
    |
    Mark as:
  • Adam Cameron.
    Currently Being Moderated
    2. Adam Cameron.,
    Jul 27, 2012 5:57 AM   in reply to lwfg
    Report

    If it's a dynamic as opposed to a static value, it should be passed as a parameter.

     

    I detail the whys & wherefors in this article, which might be useful to you: http://adamcameroncoldfusion.blogspot.co.uk/2012/07/what-one-can-and-c annot-do-with.html

     

    Thinking about it, even with a static value I might consider parameterising it: it's a VALUE, not part of the SQL statement.  I think people most often hard-code these too, though, because they don't change, so will not impact the query compilation process.

     

    As for <cfinsert> and <cfupdate>.  They certainly didn't USED to be parameterised.  I think they are now, since CF9 though.  I'm pretty sure if you have DB debugging displaying, the generated SQL from these tags is output, so you could check...

     

    --

    Adam

     
    |
    Mark as:
  • WolfShade
    Currently Being Moderated
    3. WolfShade,
    Jul 27, 2012 6:29 AM   in reply to Adam Cameron.
    Report

    Thank you for the link to the blog, Adam.  Nice article!  Was not aware of how the process works.  (I love CF, but never really learned the inner workings.)

     

    ^_^

     
    |
    Mark as:
  • Adam Cameron.
    Currently Being Moderated
    4. Adam Cameron.,
    Jul 29, 2012 6:43 AM   in reply to WolfShade
    Report

    Just to follow up on the <cfinsert> and <cfupdate> thing, I've done some investigation there too: http://bit.ly/MN0XYS.

     

    The important bit is that these two tags do indeed use parameters for their values these days (and since at least CF8.0.1), so that's something.

     

    --

    Adam

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points