I have inherited a large legacy coldfusion app. There are hundreds of <cfquery>some sql here #variable#</cfquery> statements that need to be parameterized along the lines of: <cfquery> some sql here <cfqueryparam value="#variable#"/> </cfquery> How can I go about adding parameterization programatically? I have thought about writing so...
I need to dynamically construct a set of JOIN statements where the table and column names are passed in from another ColdFusion query. When passing the string values to into the statement, CFQUERYPARAM adds single quotes around it - that's part of the point of CFQUERYPARAM. Given that this breaks the SQL statement, is it acceptable not...
Updates: I have submitted the bug to Adobe and referenced this SO question In my real-world code where the problem occurred I decided to just remove my use of cfqueryparam. I am now using a custom function to format the param based on type. There are security and speed concerns that I will have to deal with but it gets the particular p...
I'm trying to be a good CF web developer and use <cfqueryparam> around all FORM or URL elements that make it to my SQL queries. In this case, I'm trying to allow a user to control the ORDER BY clause dynamically. <cfquery datasource="MyDSN" name="qIncidents"> SELECT IncidentID, AnimalID, IntakeDate, DxDate, OutcomeDate FROM Incide...
I'm writing a subsystem that tables might be renamed from project to project. Instead of asking the user of my subsystem to search & replace before using it, does this work? <cfquery name="local.foo" datasource="#dsn#"> SELECT col1, col2, col3 FROM #tableName# </cfquery> Without <cfqueryparam>, will it become non-cacheable? or an...
I have a query: SELECT id FROM table WHERE field1=<cfqueryparam value="#URL.field1#" cfsqltype="cf_sql_varchar"> AND field2=<cfqueryparam value="#URL.field2#" cfsqltype="cf_sql_varchar"> AND field3=<cfqueryparam value="#URL.field3#" cfsqltype="cf_sql_varchar">; Id is an INTEGER in MySQL, but the above query return...
When connecting from Coldfusion 8 to a MS SQL 2008 datasource, what Coldfusion cfsqltype should I use for a SQL column set to 'uniqueidentifier'. <cfquery name="user" datasource="#ds#"> SELECT id, username FROM users WHERE id = <cfqueryparam cfsqltype="WHAT_CF_SQL_TYPE_HERE?" value="#arguments.id#"> </cfquery> Thanks! ...
This is the query that I have. <cfquery name="qryname" datasource="dsn"> UPDATE ticketlist SET status = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="Expired"> WHERE expdatetime < <cfqueryparam value = "#yourDate#" cfsqltype = "CF_SQL_DATE" maxLength = "19"> </cfquery> It is able to give me all the results who's expdatetime is l...