John,
The cfqueryparam tag is essential in any dynamic query to protect from sql
injection attacks. The two main arguments used in the tag are cfsqltype and
value, the function of value should be pretty clear and you're right
cfsqltype specifies the datatype - coldfusion uses this information to make
sure that the value entered is valid and automatically escapes single quotes
etc from string values.
Trust me, learn and get into the habit of using it, sql injection attacks
can do massive harm to you, your clients or end users.
<cfquery name="dynamicQueryExample" datasource="DSN">
Select somevalue
From sometable
Where someothervalue = <cfqueryparam cfsqltype="sometype"
value="#dynamicValue#" />
</cfquery>
Regards,
Gabriel
-----Original Message-----
From: John Barrett [mailto:[EMAIL PROTECTED]
Sent: Friday, 11 July 2008 3:54 PM
To: CF-Newbie
Subject: Re: CF & MySQL Troubles
Hi gabriel,
Thanks so much for your response.
I looked on live docs:
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_1
8.html
about the cfqueryparam tag, I have to say I am confused, as it seems this
tag tells coldfusion what the database field is, in this case
cf_sql_varchar. This tells cf that the db field is varchar, or another one
could be CF_SQL_INTEGER. On live docs adobe tells using this with cfquery is
a good security message, but is there a programing implication to it as
well? I am a newbie, and always trying to learn the best ways to do things.
Thanks again,
John
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Newbie/message.cfm/messageid:3814
Subscription: http://www.houseoffusion.com/groups/CF-Newbie/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.15
