| Contents > Developing ColdFusion MX Applications > Accessing and Retrieving Data > Enhancing security with cfqueryparam > Using cfqueryparam |
|
|
|
|
||
You can use the cfqueryparam tag to evaluate query string parameters and pass a ColdFusion variable within a SQL statement. This tag evaluates variable values before they reach the database. You specify the data type of the corresponding database column in the cfsqltype attribute of the cfqueryparam tag. In the following example, because the Emp_ID column in the CompanyInfo data source is an integer, you specify a cfsqltype of cf_sql_integer:
<cfquery name="EmpList" datasource="CompanyInfo">SELECT * FROM EmployeeWHERE Emp_ID =<cfqueryparam value = "#Emp_ID#"cfsqltype = "cf_sql_integer"></cfquery>
The cfqueryparam tag checks that the value of Emp_ID is an integer data type. If anything else in the query string is not an integer, such as a SQL statement to delete a table, the cfquery tag does not execute. Instead, the cfqueryparam tag returns the following error message:
Invalid data '7 DELETE FROM Employee' for CFSQLTYPE 'CF_SQL_INTEGER'.
|
|
||
| Contents > Developing ColdFusion MX Applications > Accessing and Retrieving Data > Enhancing security with cfqueryparam > Using cfqueryparam |
|
|
ColdFusion 9 | ColdFusion 8 | ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | Bug Reporting
Version 6.1
Comments are no longer accepted for ColdFusion MX 6.1. ColdFusion 8 is the current version.