Jim McAtee wrote:
>
> How exactly does cfqueryparam fix this? I just modified a tiny application I
> wrote which now uses a MySQL table to track query history. Using
> <cfqueryparam> did indeed fix the problem, but I can't really tell what it's
> doing.
>
> My cfquery, which looks like
>
> <cfquery datasource="Whois">
> INSERT INTO history (searchdatetime, employeeid, searchstring, serverid)
> VALUES (#CreateODBCDateTime(Now())#, #employeeid#,
> <cfqueryparam value="#form.domain#" cfsqltype="cf_sql_varchar">,
> #form.serverid#)
> </cfquery>
>
> is transformed into
>
> INSERT INTO history (searchdatetime, employeeid, searchstring, serverid)
> VALUES ({ts '2003-07-30 17:47:22'}, 9,
> ?,
> 1)
>
> Query Parameter Value(s) -
> Parameter #1 = the search\
>
> and the string "the search\" gets inserted into the table. I understand how
> the prepared statement works, but is <cfqueryparam> doing some type of
> auto-escape (that isn't visible in the debug output or does it somehow affect
> the query behavior?
cfqueryparam uses bind variables which in effect tells the
database driver "escape this variable" (amongst other things).
Since what exactly needs to be escaped and how it needs to be
escaped depends on which database you are using, this is a
feature of the database driver, not of CF MX. For some Java code
that gives a peek behind the scenes see
http://www.houseoffusion.com/lists.cfm?link=m:4:16005:82617
Jochem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community.
http://www.fusionauthority.com/ads.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
