Does anyone know if CFQueryParam is offered in a function version?
Im trying to build out a dynamic query string and then use that for the
where clause...
Thanks!
Charlie
-
Annual Sponsor FigLeaf Software - http://www.figleaf.com
To
ECTED] [mailto:[EMAIL PROTECTED] Behalf Of Charlie Stell
Sent: Wednesday, August 01, 2007 11:18 AM
To: discussion@acfug.org
Subject: [ACFUG Discuss] CFQueryParam
Does anyone know if CFQueryParam is offered in a function version?
Im trying to build out a dynamic query string and then use that fo
Might want to search the recent ACFUG archives.
should only be used in the context of the tag since it
tells CF to make the statement a prepared statement. This doesn't
make any sense in any other context since doesn't do
anything special to the data itself.
-dhs
Dean H. Saxe, CISS
The only problem with this is that you must put tags around your
query inside of your tags for it to work, or it will choke on the
# signs. so you just use it like this:
SELECT * FROM thistable WHERE this = #qparam("int","2338")#
Taken from
http://www.houseoffusion.com/groups
I am shocked that works... this indicates that CF processes the value
of the function and then processes its output (the tag) too?
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
"If liberty means anything at all, it means the right to tell people
what they do not want to hear."
-- Geo
We have an MSAccess db, and have a dynamic sort with cfqueryparam.
When I use the actual field (fname), the query sorts correctly. When I
use the cfqueryparam, it does not sort - even though the debug says the
field fname was sent correctly.
Does cfqueryparam make sort not work?
Thanks
s
rt of
that previous CFQUERY?
/charlie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tepfer, Seth
Sent: Monday, July 23, 2007 12:28 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: [ACFUG Discuss] cfqueryparam in a sort
We have an MSAccess db, and have a dy
From: Charlie Arehart [mailto:[EMAIL PROTECTED]
Sent: Monday, July 23, 2007 1:42 PM
To: discussion@acfug.org
Cc: Small, Lewis B.
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
Seth, it may help to show your SQL so we know for sure what you're
aski
ific experience?
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Small, Lewis
B.
Sent: Monday, July 23, 2007 2:45 PM
To: Charlie Arehart; discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
S
nday, July 23, 2007 4:43 PM
To: discussion@acfug.org
Subject: RE: [ACFUG Discuss] cfqueryparam in a sort
OK, as I had surmised, you're using the CFQueryParam in the SORT
itself. I know this "works" (doesn't give an error, in 7 or
before), but it doesn't do what you wa
that's
helpful.
/charlie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Yes, Seth, technically you are correct. But there is a better
ject extra SQL statements will be
detected and prevented. Hope that's helpful.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Yes, Set
Yep, more and more refinement. :-)
/charlie
_
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Thursday, July 26, 2007 10:13 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Charlie,
Good idea. Actually the
pful.
/charlie
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Dean H.
Saxe
Sent: Monday, July 23, 2007 4:52 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a
sort
Yes, Seth, technically you are correct. But there
is a better way
here. Instead
gt; > useful one, but I thought of something that none
> > of us mentioned.
> > >
> > > Since you know that the list of columns is a
> > limited set, you could
> > > also keep it the simpler way of passing in the
> > column names (if you
> > >
us attempt by a user to inject extra SQL
> statements will be
> > detected and prevented. Hope that's helpful.
> >
> > /charlie
> >
> >
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Dean H.
> > Saxe
> > Sent: Monday, J
MAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, July 27, 2007 8:40 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
How does that provide any security? Unless you validate the data,
you are
subject to SQL injection.
Dean H. S
ot;it's
a string". I think it escapes single quotes and more, which I don't think
the CFARGUMENT datatype protection will do. Anyone know more?
/charlie
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Friday, July
Dean.
Just being clear.
This is what we get when two people strive to be very clear all the
time!
:-)
/charlie
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean H.
Saxe
Sent: Friday, July 27, 2007 10:23 AM
To: discussion@acfug.org
Subject:
MAIL PROTECTED] On Behalf Of Dean H. Saxe
Sent: Friday, July 27, 2007 10:23 AM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam in a sort
Good catch Charlie... guess my morning coffee hadn't kicked in yet!
Parameterization doesn't actually escape anything. It forces
Hey all,
I'm working on an asset tracking system and once again I've found myself
using the CFGRID to be able to edit serveral items at once and then save.
In the past week we've migrated to SQL Server 2005. I am having an issue
with saving NULL values to the db. I just read Charlie's blog from
Jeff,
Bottom line, why is isnerting the string "null" into my db instead of
???
There's nothing in the code you showed that would insert that value.
Just a guess, but -- is your old code in place, the code that tried to
create "null" in a string value? You're experiencing the same behavior y
Tom,
Syntax error on my part. It is an UPDATE that I'm doing and not an INSERT.
The code I provided is the update statement. As far as the old code, it
exists in a backup file but is not present at all in the live code.
The behavior that the app is displaying is as follows:
1. If I click in
PROTECTED] On Behalf Of Jeff Howard
Sent: Thursday, March 29, 2007 1:26 PM
To: discussion@acfug.org
Subject: Re: [ACFUG Discuss] cfqueryparam and NULL attribute SQL Server
2005
Tom,
Syntax error on my part. It is an UPDATE that I'm doing and not an
INSERT. The code I provided is the u
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff
Howard
*Sent:* Thursday, March 29, 2007 1:26 PM
*To:* discussion@acfug.org
*Subject:* Re: [ACFUG Discuss] cfqueryparam and NULL attribute SQL Server
2005
Tom,
Syntax error on my part. It is an UPDATE that I'm doing and not an
ECTED]
>
>
> --
>
> *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeff
> Howard
> *Sent:* Thursday, March 29, 2007 1:26 PM
> *To:* discussion@acfug.org
> *Subject:* Re: [ACFUG Discuss] cfqueryparam and NULL attribute SQL
>
26 matches
Mail list logo
