MACROMEDIA COLDFUSION MX 61-DEVELOPING COLDFUSION MX Develop Manual page 436

The
cfqueryparam
in the query string is not an integer, such as a SQL statement to delete a table, the
does not execute. Instead, the
Invalid data '7 DELETE FROM Employee' for CFSQLTYPE 'CF_SQL_INTEGER'.
Using cfqueryparam with strings
When passing a variable that contains a string to a query, specify a
, and specify the
cf_sql_char
<cfquery name = "getFirst" dataSource = "cfsnippets">
SELECT * FROM employees
WHERE LastName = <cfqueryparam value = "#LastName#"
</cfquery>
In this case,
cfqueryparam
•
It ensures that LastName contains a string.
•
It ensures that the string is 17 characters or less.
•
It escapes the string with single-quotation marks so that it appears as a single value to the
database. Even if a hacker passes a bad URL, it appears as follows:
WHERE LastName = 'Anwar DELETE FROM MyCustomerTable'.
Using cfSqlType
The following table lists the available SQL types against which you can evaluate the
attribute of the
cfqueryparam
BIGINT
DECIMAL
INTEGER
NUMERIC
TIME
Note: Specifying the
enhance performance.
436 Chapter 20: Accessing and Retrieving Data
tag checks that the value of Emp_ID is an integer data type. If anything else
cfqueryparam
maxLength
cfsqltype = "cf_sql_char" maxLength = "17">
performs the following checks:
tag:
BIT
DOUBLE
LONGVARCHAR
REAL
TIMESTAMP
attribute causes the DBMS to use bind variables, which can greatly
cfsqltype
tag returns the following error message:
attribute, as in the following example:
CHAR
FLOAT
MONEY
REFCURSOR
TINYINT
cfquery
value of
cfsqltype
value
DATE
IDSTAMP
MONEY4
SMALLINT
VARCHAR
tag