Hello,

In CFQUERY operations, can someone advise as to the following:

1. What data types REQUIRE single quotes for UPDATE and INSERT statements?
* We are using MS SQL 2008 R2 with CF9

2. Is it best practice to use CFQUERYPARAM for EVERY statement now days?

I searched everywhere but can't seem to find any type of reference sheet anywhere that I can use when building my statemnts.

Thanks in advance.

G.

Recommended Answers

It is best to always use cfqueryparam because it not only for a performance boost but to protect the database from SQL injections always. Usually when using the cfqueryparam you do not need to worry about when to use single or double quotes. If you have data that has single …

Jump to Post

All 3 Replies

It is best to always use cfqueryparam because it not only for a performance boost but to protect the database from SQL injections always. Usually when using the cfqueryparam you do not need to worry about when to use single or double quotes. If you have data that has single of double quotes then you can use the perservesinglequotes() function. http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_m-r_14.html.

Hope this helps!

Huh? In one breadth you preach protection against sql injection, and in the next you recommend a function that encourages sql injection ;-)

- DO use cfqueryparam for sql injection protection
- DO NOT use perservesinglequotes, it risks sql injection

If you have data that has single of double quotes then you can use the perservesinglequotes() function.

It does nothing for double quotes. Only single quotes.

lol thanks Arrrgh, very true. Wasn't thinking straight when I wrote that post. Thanks for the backup. zZzZz :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.21 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.