Hello,
In CFQUERY operations, can someone advise as to the following:
1. What data types REQUIRE single quotes for UPDATE and INSERT statements?
* We are using MS SQL 2008 R2 with CF9
2. Is it best practice to use CFQUERYPARAM for EVERY statement now days?
I searched everywhere but can't seem to find any type of reference sheet anywhere that I can use when building my statemnts.
Thanks in advance.
G.
It is best to always use cfqueryparam because it not only for a performance boost but to protect the database from SQL injections always. Usually when using the cfqueryparam you do not need to worry about when to use single or double quotes. If you have data that has single of double quotes then you can use the perservesinglequotes() function. http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_m-r_14.html.
Hope this helps!
Huh? In one breadth you preach protection against sql injection, and in the next you recommend a function that encourages sql injection ;-)
- DO use cfqueryparam for sql injection protection
- DO NOT use perservesinglequotes, it risks sql injection
If you have data that has single of double quotes then you can use the perservesinglequotes() function.
It does nothing for double quotes. Only single quotes.
lol thanks Arrrgh, very true. Wasn't thinking straight when I wrote that post. Thanks for the backup. zZzZz :)
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.