Stack Overflow
Stack Overflow

Questions tagged [cfqueryparam]

`` is a ColdFusion tag that is used to parameterize values that are used in the ``

Some of the benefits to using the <cfqueryparam> tag include:

  • All special characters are escaped
  • Protection against SQL injection attacks.
  • While ColdFusion is not strongly typed, SQL is. The CFSQLTYPE attribute converts the ColdFusion variables to the proper SQL type
  • NULLs can be handled separately from blank strings
  • ColdFusion lists can be converted for use in SQL Select IN statements
  • SQL can make better use of query plans

For more details

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-tags/tags-p-q/cfqueryparam.html

For cfscript equivalent

https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-m-r/queryexecute.html

Also see

65 questions
11
votes
1 answer

How should I use maxlength in CFQUERYPARAM list="true"?

I'm curious how the maxlength attribute works in CFQUERYPARAM when you are passing a list. Does the maxlength apply to the length of the entire list (i.e. length of "1,2,3,4,5,6" = 11)? Or does the maxlength apply to each item in the list? I cannot…
Eric Belair
  • 10,574
  • 13
  • 75
  • 116
7
votes
5 answers

How do you use cfqueryparam in the ORDER BY clause?

I'm trying to be a good CF web developer and use around all FORM or URL elements that make it to my SQL queries. In this case, I'm trying to allow a user to control the ORDER BY clause dynamically.
Chris Brandt
  • 948
  • 3
  • 11
  • 22
7
votes
2 answers

Is there any logical reason to use CFQUERYPARAM in Query of Queries?

I primarily use CFQUERYPARAM to prevent SQL injection. Since Query-of-Queries (QoQ) does not touch the database, is there any logical reason to use CFQUERYPARAM in them? I know that values that do not match the cfsqltype and maxlength will throw an…
Eric Belair
  • 10,574
  • 13
  • 75
  • 116
6
votes
2 answers

Protection from SQL injection in ColdFusion

I am trying to improve my application's security. Whenever I receive data from the user (whether through POST or GET) that is supposed to be an integer, I validate that appropriately. But often the data is VARCHAR, and sometimes can contain…
Eleeist
  • 6,891
  • 10
  • 50
  • 77
5
votes
1 answer

Using cfqueryparam with constants

We religiously use cfqueryparam in our SQL queries. Some of my predecessors seem to have been a little overzealous when using it with direct values rather than variables. Isn't record_is_deleted_bt =
Fish Below the Ice
  • 1,273
  • 13
  • 23
5
votes
3 answers

How can affect performance for constants and null values?

Consider the following: SELECT aColumn FROM aTable WHERE bColumn = AND cColumn = 'someConstant' AND dColumn is…
TriesToCommunicateClearly
  • 85
  • 5
4
votes
10 answers

Is there a solution to this cfqueryparam memory leak?

Updates: I have submitted the bug to Adobe and referenced this SO question In my real-world code where the problem occurred I decided to just remove my use of cfqueryparam. I am now using a custom function to format the param based on type. There…
Dan Roberts
  • 4,664
  • 3
  • 34
  • 43
4
votes
2 answers

For a ColdFusion cfqueryparam which CFSQLType do you use for TEXT?

So if I have a cfqueryparam, and the datatype in SQL is TEXT, which of the CFSQLTypes do I use? Or do I follow the below link about uniqueidentifiers? Or is it just better to change the datatype to varchar/longvarchar? cfqueryparam documentation…
FangerZero
  • 91
  • 1
  • 8
4
votes
2 answers

CFQUERY times out when using cfqueryparams and MSSQL Server?

I'm executing a query that returns about 16000 rows. Running the straight SQL in MS SQL Server Manager returns the records in a few seconds. Running the same SQL in cfquery returns it in about the same time. The query is composed with a few…
Danomite
  • 369
  • 3
  • 16
4
votes
4 answers

In ColdFusion what do single and double quotes around attribute values do?

For example what do the "" around #Trim(FORM.fromfirstname)# do? I'm adding tags and am wondering if the quotes are still required? SELECT * FROM users …
Celeritas
  • 14,489
  • 36
  • 113
  • 194
4
votes
3 answers

Slow query with cfqueryparam searching on indexed column containing hashes

I have the following query that runs in 16ms - 30ms. SELECT hash FROM jobs WHERE hash in( 'EBDA95630915EB80709C69089315399B', '3617B8E6CF0C62ECBD3C48DDF8585466', …
Owen Allen
  • 11,348
  • 9
  • 51
  • 63
3
votes
6 answers

How I can encode/escape a varchar to be more secure without using cfqueryparam?

How I can encode/escape a varchar to be more secure without using cfqueryparam? I want to implement the same behaviour without using to get around "Too many parameters were provided in this RPC request. The maximum is 2100" problem.…
Henry
  • 32,689
  • 19
  • 120
  • 221
3
votes
5 answers

How do I programmatically sanitize ColdFusion cfquery parameters?

I have inherited a large legacy ColdFusion app. There are hundreds of some sql here #variable# statements that need to be parameterized along the lines of: some sql here How…
Nathan Feger
  • 19,122
  • 11
  • 62
  • 71
3
votes
1 answer

Query param not behaving as expected

I'm using an :order query param to pass an order argument to my function. Unfortunately, it seems not to have an effect on the output. The request debugging output shows the order argument is parsed correctly: Parameter #2(cf_sql_varchar) =…
Mohamad
  • 34,731
  • 32
  • 140
  • 219
3
votes
2 answers

Strange ColdFusion 10 Error using cfquery cfqueryparam

I am using ColdFusion 10 Update 23 with MySQL database. When I make a change to a script where I am using cfqueryparm the script causes this error message: "The type for attribute value of tag queryparam could not be determined." This script works…
GThurmon
  • 33
  • 4
1
2 3 4 5