|
DescriptionVerifies
the data type of a query parameter and, for DBMSs that support bind variables,
enables ColdFusion to use bind variables in the SQL statement. Bind variable
usage enhances performance when executing a cfquery statement multiple
times.
This tag is nested within a cfquery tag,
embedded in a query SQL statement. If you specify optional parameters,
this tag performs data validation.
Adobe recommends that you
use the cfqueryparam tag within every cfquery tag,
to help secure your databases from unauthorized users. For more information,
see Security Bulletin ASB99-04, “ Multiple SQL Statements in Dynamic Queries,”
at www.adobe.com/go/sn_asb99-04,
and Accessing
and Retrieving Data in the Developing ColdFusion Applications.
Syntax<cfquery
name = "query name"
dataSource = "data source name"
...other attributes...
SQL STATEMENT column_name =
<cfqueryparam value = "parameter value"
CFSQLType = "parameter type"
list = "yes|no"
maxLength = "maximum parameter length"
null = "yes|no"
scale = "number of decimal places"
separator = "separator character">
AND/OR ...additional criteria of the WHERE clause...>
</cfquery>
Note: You can specify
this tag’s attributes in an attributeCollection attribute
whose value is a structure. Specify the structure name in the attributeCollection attribute
and use the tag’s attribute names as structure keys.
Attributes
Attribute
|
Req/Opt
|
Default
|
Description
|
|---|
value
|
Required
|
|
Value that ColdFusion passes to the right
of the comparison operator in a where clause.
If CFSQLType is
a date or time option, ensure that the date value uses your DBMS-specific
date format. Use the CreateODBCDateTime or DateFormat and TimeFormat functions
to format the date value.
|
CFSQLType
|
Optional
|
CF_SQL_CHAR
|
SQL type that parameter (any type) is bound
to:
CF_SQL_BIGINT
CF_SQL_BIT
CF_SQL_CHAR
CF_SQL_BLOB
CF_SQL_CLOB
CF_SQL_DATE
CF_SQL_DECIMAL
CF_SQL_DOUBLE
CF_SQL_FLOAT
CF_SQL_IDSTAMP
CF_SQL_INTEGER
CF_SQL_LONGVARCHAR
CF_SQL_MONEY
CF_SQL_MONEY4
CF_SQL_NUMERIC
CF_SQL_REAL
CF_SQL_REFCURSOR
CF_SQL_SMALLINT
CF_SQL_TIME
CF_SQL_TIMESTAMP
CF_SQL_TINYINT
CF_SQL_VARCHAR
|
list
|
Optional
|
no
|
|
maxLength
|
Optional
|
Length of string in value attribute
|
Maximum length of parameter. Ensures that
the length check is done by ColdFusion before the string is sent
to the DBMS, thereby helping to prevent the submission of malicious
strings.
|
null
|
Optional
|
no
|
Whether parameter is passed as a null value:
|
scale
|
Optional
|
0
|
Number of decimal places in parameter. Applies
to CF_SQL_NUMERIC and CF_SQL_DECIMAL.
|
separator
|
Required, if you specify a list in value attribute
|
, (comma)
|
Character that separates values in list,
in value attribute.
|
UsageUse the cfqueryparam tag
in any SQL statement (for example, SELECT, INSERT, UPDATE, and DELETE)
that uses ColdFusion variables.
For maximum validation of
string data, specify the maxlength attribute.
This
tag does the following:
Allows the use of SQL bind
parameters, which improves performance.
Ensures that variable data matches the specified SQL type.
Allows long text fields to be updated from a SQL statement.
Escapes string variables in single-quotation marks.
To
benefit from the enhanced performance of bind variables, use cfqueryparam for
all ColdFusion variables, and your DBMS must support bind variables.
If a DBMS does not support bind parameters, ColdFusion validates
and substitutes the validated parameter value back into the string.
If validation fails, it returns an error message.
The validation
rules are as follows:
For these types, a data value
can be converted to a numeric value: CF_SQL_SMALLINT, CF_SQL_INTEGER,
CF_SQL_REAL, CF_SQL_FLOAT, CF_SQL_DOUBLE, CF_SQL_TINYINT, CF_SQL_MONEY,
CF_SQL_MONEY4, CF_SQL_DECIMAL, CF_SQL_NUMERIC, and CF_SQL_BIGINT
For these types, a data value can be converted to a date
supported by the target data source: CF_SQL_DATE, CF_SQL_TIME, CF_SQL_TIMESTAMP
For all other types, if the maxLength attribute
is used, a data value cannot exceed the maximum length specified.
ColdFusion
debug output shows the bind variables as question marks and lists the
values beneath the query, in order of usage.
Note: To
insert an empty string into a Microsoft Access table using the SequelLink ODBC
Socket or SequelLink Access driver, the CFSQLType attribute must
specify CF_SQL_LONGVARCHAR.
The following table shows the
mapping of ColdFusion SQL data types with JDBC SQL types and those
of the listed database management systems:
ColdFusion
|
JDBC
|
DB2
|
Informix
|
Oracle
|
MSSQL
|
|---|
CF_SQL_ARRAY
|
ARRAY
|
|
|
|
|
CF_SQL_BIGINT
|
BIGINT
|
Bigint
|
int8, serial8
|
|
bigint
|
CF_SQL_BINARY
|
BINARY
|
Char for Bit
Data
|
|
|
binary
timestamp
|
CF_SQL_BIT
|
BIT
|
|
boolean
|
|
bit
|
CF_SQL_BLOB
|
BLOB
|
Blob
|
blob
|
blob, bfile
|
longvarbinary
|
CF_SQL_CHAR
|
CHAR
|
Char
|
char, nchar
|
char, nchar
|
char
|
CF_SQL_CLOB
|
CLOB
|
Clob
|
clob
|
clob,nclob
|
|
CF_SQL_DATE
|
DATE
|
Date
|
date, datetime, year to day
|
|
date
|
CF_SQL_DECIMAL
|
DECIMAL
|
Decimal
|
decimal, money
|
number
|
decimal
|
CF_SQL_DISTINCT
|
DISTINCT
|
|
|
|
|
CF_SQL_DOUBLE
|
DOUBLE
|
Double
|
|
|
double
|
CF_SQL_FLOAT
|
FLOAT
|
Float
|
float
|
number
|
real
|
CF_SQL_IDSTAMP
|
CHAR
|
Char
|
char, nchar
|
char, nchar
|
char
|
CF_SQL_INTEGER
|
INTEGER
|
Integer
|
integer, serial
|
|
integer
|
CF_SQL_LONGVARBINARY
|
LONGVARBINARY
|
Long Varchar
for Bit Data
|
byte
|
long raw
|
longvarbinary
|
CF_SQL_LONGVARCHAR
|
LONGVARCHAR
|
Long Varchar
|
text
|
long
|
longvarchar
|
CF_SQL_MONEY
|
DOUBLE
|
Double
|
|
|
double
|
CF_SQL_MONEY4
|
DOUBLE
|
Double
|
|
|
double
|
CF_SQL_NULL
|
NULL
|
|
|
|
|
CF_SQL_NUMERIC
|
NUMERIC
|
Numeric
|
|
|
numeric
|
CF_SQL_OTHER
|
OTHER
|
|
|
|
|
CF_SQL_REAL
|
REAL
|
Real
|
smallfloat
|
|
real
|
CF_SQL_REFCURSOR
|
REF
|
|
|
|
|
CF_SQL_SMALLINT
|
SMALLINT
|
Smallint
|
smallint
|
|
smallint
|
CF_SQL_STRUCT
|
STRUCT
|
|
|
|
|
CF_SQL_TIME
|
TIME
|
Time
|
datetime hour to second
|
|
time
|
CF_SQL_TIMESTAMP
|
TIMESTAMP
|
Timestamp
|
datetime year to fraction(5), datetime year
to second
|
date
|
timestamp
|
CF_SQL_TINYINT
|
TINYINT
|
|
|
|
tinyint
|
CF_SQL_VARBINARY
|
VARBINARY
|
Rowid
|
|
raw
|
varbinary
|
CF_SQL_VARCHAR
|
VARCHAR
|
Varchar
|
varchar, nvarchar, lvarchar
|
varchar2, nvarchar2
|
varchar
|
Example<!--- This example shows cfqueryparam with VALID input in Course_ID. --->
<h3>cfqueryparam Example</h3>
<cfset Course_ID = 12>
<cfquery name = "getFirst" dataSource = "cfdocexamples">
SELECT *
FROM courses
WHERE Course_ID = <cfqueryPARAM value = "#Course_ID#"
CFSQLType = 'CF_SQL_INTEGER'>
</cfquery>
<cfoutput query = "getFirst">
<p>Course Number: #Course_ID#<br> Description: #descript#</p>
</cfoutput>
<!--- This example shows the use of CFQUERYPARAM when INVALID string data is
in Course_ID. ---->
<p>This example throws an error because the value passed in the CFQUERYPARAM tag exceeds the
MAXLENGTH attribute</p>
<cfset LastName="Peterson; DELETE employees WHERE LastName='Peterson'">
<!------- Note that for string input you must specify the MAXLENGTH attribute
for validation. -------------------------------------------------->
<cfquery
name="getFirst" datasource="cfdocexamples">
SELECT *
FROM employees
WHERE LastName=<cfqueryparam
value="#LastName#"
cfsqltype="CF_SQL_VARCHAR"
maxlength="17">
</cfquery>
<cfoutput
query="getFirst"> <p>
Course Number: #FirstName# #LastName#
Description: #Department# </p>
</cfoutput>
|
|
|
