Copy link to clipboard
Copied
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Copy link to clipboard
Copied
quote:
Originally posted by: Kapitaine
It is wise to use cfqueryparam, but you can't use it for things like dynamic table names. I believe cfqueryparam can only be used in the where clause.
Copy link to clipboard
Copied
quote:
Originally posted by: Milosh
Hi Dan,
I believe I am using the terminology correctly, but my apologies for the confusion. I am calling an argument within a component to name a table, which is something that I haven't seen anyone do.
This example should explain it better than words and terminology (see below)! =)
The reason I am questioning this is because there are things that work, and there are things that work and work properly. For instance, as a coder you could easily put a couple of pound-signs after the where clause for companyID and it would work fine. But using cfqueryparam to eliminate SQL injection is the proper way to do it, and that's what I want to ensure when doing my component argument calling the table name.
I appreciate your input. =)
Cheers,
Miles
-------------- start "retrieval" component snippet ----------------------------
<cffunction name="getinfo" access="remote" returntype="query" output="false" hint="gets tool info">
<cfargument name="tablename" type="string" required="true" hint="table name">
<cfargument name="companyID" type="string" required="false" hint="id">
<cfargument name="sort" type="string" required="false" default="lastname" hint="sort">
<cfset var getinfo = "">
<cfquery name="getinfo" datasource="#variables.dsn#">
select *
<!--- start questionable code --->
from [#arguments.tablename#]
<!--- end questionable code --->
where
companyID = <cfqueryparam value="#arguments.companyID#" cfsqltype="cf_sql_integer" maxlength="50">
order by
<cfif isdefined("arguments.sort") and len(arguments.sort)>#arguments.sort#</cfif>
</cfquery>
<cfreturn getinfo>
</cffunction>
-------------- end "retrieval" component snippet ----------------------------
-------------- on the page itself ----------------------------
On the page itself, I would call this component by writing:
<!--- start query --->
<cfset getinfo = application.retrieval.getinfo(tablename="users", companyID=session.companyID)>
<!--- end query --->
<!--- start output --->
<cfoutput query="users">
......output here.....
</cfoutput>
<!--- end output --->
-------------- end page itself ----------------------------
Copy link to clipboard
Copied
Copy link to clipboard
Copied
Copy link to clipboard
Copied