CFQUERY Datatypes and Quotes

Hello,

In CFQUERY operations, can someone advise as to the following:

1. What data types REQUIRE single quotes for UPDATE and INSERT statements?
* We are using MS SQL 2008 R2 with CF9

2. Is it best practice to use CFQUERYPARAM for EVERY statement now days?

I searched everywhere but can't seem to find any type of reference sheet anywhere that I can use when building my statemnts.

Thanks in advance.

G.

goxmedia

Newbie Poster

1 post since Aug 2011

Reputation Points: 10

Solved Threads: 0

9 Months Ago

0

It is best to always use cfqueryparam because it not only for a performance boost but to protect the database from SQL injections always. Usually when using the cfqueryparam you do not need to worry about when to use single or double quotes. If you have data that has single of double quotes then you can use the perservesinglequotes() function. http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_m-r_14.html .

Hope this helps!

cfwebdeveloper

Junior Poster in Training

78 posts since May 2011

Reputation Points: 19

Solved Threads: 8

9 Months Ago

0

Huh? In one breadth you preach protection against sql injection, and in the next you recommend a function that encourages sql injection ;-)

- DO use cfqueryparam for sql injection protection
- DO NOT use perservesinglequotes, it risks sql injection