0

Hello,

In CFQUERY operations, can someone advise as to the following:

1. What data types REQUIRE single quotes for UPDATE and INSERT statements?
* We are using MS SQL 2008 R2 with CF9

2. Is it best practice to use CFQUERYPARAM for EVERY statement now days?

I searched everywhere but can't seem to find any type of reference sheet anywhere that I can use when building my statemnts.

Thanks in advance.

G.

3
Contributors
3
Replies
4
Views
6 Years
Discussion Span
Last Post by cfwebdeveloper
0

It is best to always use cfqueryparam because it not only for a performance boost but to protect the database from SQL injections always. Usually when using the cfqueryparam you do not need to worry about when to use single or double quotes. If you have data that has single of double quotes then you can use the perservesinglequotes() function. http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions_m-r_14.html.

Hope this helps!

Edited by cfwebdeveloper: n/a

0

Huh? In one breadth you preach protection against sql injection, and in the next you recommend a function that encourages sql injection ;-)

- DO use cfqueryparam for sql injection protection
- DO NOT use perservesinglequotes, it risks sql injection

If you have data that has single of double quotes then you can use the perservesinglequotes() function.

It does nothing for double quotes. Only single quotes.

Edited by arrgh: n/a

0

lol thanks Arrrgh, very true. Wasn't thinking straight when I wrote that post. Thanks for the backup. zZzZz :)

Edited by cfwebdeveloper: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.