ansaurus

Question

Answer 1

+4 A:

No, you can't use a cfif in the attribute section of cfquery. You can, however, set a default value:

<cfargument name="arguments.timeout" default="60" />

Then just use the query with arguments.timeout as specified. It will be 60 seconds by default (or some sane value). If the user specifies a value, then that will be used instead. In my opinion this is better than having two separate cfquery statements.

The livedocs for cfargument.

Ryan Emerle 2009-11-09 13:27:07

Also if he/she matches the default to the setting in CFAfdmin the query will have the same timeout as if the attribute was not there.

kevink 2009-11-09 14:02:29

Well, What about If i have requirement to use the timeout attribute only when I have that value passed as argument?

CFUser 2009-11-09 16:52:41

Then you need to have separate cfqueries written inside an if/else block.

Al Everett 2009-11-09 21:01:57

Peter Boughton 2009-11-10 13:32:09

Ah, yes. I forgot about attribute collection. +1 for you.

Al Everett 2009-11-10 20:51:04

Answer 2

+5 A:

By the way - what's the point of such a thing:

<cfquery 
  name       = "UpdateRecord"   
  dataSource = "#arguments.dbSource#"   
  username   = "#arguments.dbUser#"   
  password   = "#arguments.dbPass#" 
  timeout    = "#arguments.Timeout#"
  result     = "updateResult"
>
  <cfoutput>#preserveSingleQuotes(arguments.updateQuery)#</cfoutput>
</cfquery>

You are passing in every single bit of info that makes a cfquery, including the actual SQL code. This makes no sense whatsoever, you could just as well use cfquery then and there, instead of invoking such an over-generalized function. It would even be less code.

Apart from that,

PreserveSingleQuotes(completeSqlString) disables any SQL injection checks ColdFusion has, leaving this function wide open for abuse and SQL syntax errors.
<cfoutput> is on by default within CF tag bodies. The <cfoutput> is therefore redundant in the above.

Abstraction is good and everything, but the above is completely pointless, and dangerous at that.

Tomalak 2009-11-09 14:11:35

I agree that, if used with any user input, this is dangerous. I've seen it before, though, for calling queries from cfscript.

Ben Doom 2009-11-09 15:08:52

This would be the only justification. Then again, if you write cfscript code complex enough to work with "generic" queries, you might be better off writing real CFML.

Tomalak 2009-11-09 16:07:32

Well Just to avoid Confusion, I have a requirement to update the what ever I get input(Assuming Validations part like where clauses etc.. already done)

CFUser 2009-11-09 16:50:10

I agree wholeheartedly with @Tomalak on this one. If that is the requirement then, assuming the updateQuery isn't properly sanitized (which should always be the first assumption) it is requirement of solution that hasn't been well thought out. At the very least the requirement should afford you some way to utilize cfparam in cfquery statment to increase security and performance.

Ryan Lynch 2009-11-09 17:17:40

Looking at your inflexibility of your requirements and your mention of another requirement regarding timeout...I'm beginning to fear that this query is the meat of a web service that some other service is calling remotely to query your database. Please tell me this isn't the case.

Ryan Lynch 2009-11-09 17:22:16

The OP never indicated that the query was the whole of the function. While I agree that this is scarily bad, your "answer" doesn't address the question.

Ryan Emerle 2009-11-10 15:05:50

@Ryan Emerle: I introduced it with "By the way" - it was never meant to be a full answer. That's why I up-voted yours.

Tomalak 2009-11-10 16:14:33

Answer 3

+3 A:

NOTE: As other have pointed out: you're almost certainly doing things wrong, and are most likely are creating an insecure and inefficient application that will be a nightmare to maintain.

However, in response to your specific question, yes, you can (indirectly) use cfif to control cfquery attributes - by passing a struct to the magic attribute AttributeCollection, like so:

<cfset var QueryAttributes = StructNew() />

<cfset QueryAttributes.Datasource  = Arguments.dbSource />
<cfset QueryAttributes.Username    = Arguments.dbUser />
<cfset QueryAttributes.Password    = Arguments.dbPass />
<cfif StructKeyExists(Arguments,'Timeout')>
 <cfset QueryAttributes.Timeout = Arguments.Timeout />
</cfif>

<cfquery name="UpdateRecord" result="updateResult"
 AttributeCollection="#QueryAttributes#"
    >
 ...
</cfquery>

(This functionality was introduced with CF8.)

Peter Boughton 2009-11-10 13:28:51

ansaurus

tags:

views:

answers:

Can i use cfif in cfquery?

related questions