cfqueryparam will escape potentially dangerous characters for you. This is ESSENTIAL if you don't want to have your database dropped by some nasty hacker type person.
Search through the archives for SQL injection attacks, you'll soon see why. It will also negate the need to escape quotes and other things manually, which is quite handy too. Trust me, cfqueryparam is your friend ;-) Craig. -----Original Message----- From: Rick Faircloth [mailto:[EMAIL PROTECTED]] Sent: 16 December 2002 16:51 To: CF-Talk Subject: RE: mySQL & CF Hi, Craig, and thanks for the reply. When you say they "make things a lot more secure." What exactly do you mean? Boy, that's a lot of extra typing over the typical CFINSERT syntax... Rick -----Original Message----- From: Craig Dudley [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 11:10 AM To: CF-Talk Subject: RE: mySQL & CF Standard SQL inserts will work fine on most if not all RDBMS's Eg. insert into tablename (int_col1,varchar_col2) values (<cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#form.val1#">,<cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#form.val2#">) Do try to use the cfqueryparams, they make things a lot more secure. -----Original Message----- From: Rick Faircloth [mailto:[EMAIL PROTECTED]] Sent: 16 December 2002 16:02 To: CF-Talk Subject: RE: mySQL & CF Hi, Matt. I, too, learned about the CFUPDATE problem from personal experience and from the Allaire forums when I first started using CF (with Access at that time). I stopped using it and went to the CFQUERY...Set... approach. That's worked fine. I haven't had any problems with CFINSERT, but if that may be problematic in the future I may as well go ahead and change my coding habits now. How is the INSERT coded for mySQL and CF? Example? Thanks, Rick -----Original Message----- From: Matt Robertson [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 1:11 AM To: CF-Talk Subject: RE: mySQL & CF Rick, I noticed you mention that you use CFINSERT. From your earlier postings I know you are on CF 4.5x, as I am. You're likely to discover that CFINSERT and/or CFUPDATE sometimes blow sky-high on CF 4.5x (at least) when working with mySQL (3.23 for sure, and maybe 4.0x). In threads on the subject over at the (then) Allaire forums no specific cause was ever traced. It just happens. Sometimes. In one of those threads I believe it was Paul Hastings who advised me to 'just say no to cfinsert/cfupdate' and it ranks as some of the best CF advice I ever got. On the surface those tags appear to be handy shortcuts, but they black-box your SQL, take away the otherwise granular control you should have and make debugging ... difficult. I suggest you follow the same advice -- you'll probably find out you have to, anyway. While you're at it go for the double bonus and implement cfqueryparam. Happy Monday (early) :) --------------------------------------- Matt Robertson, MSB Designs, Inc. http://mysecretbase.com - Retail http://foohbar.org - ColdFusion Tools --------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
