Solved

CFQUERYPARAM or not

Posted on 2011-09-16
6
367 Views
Last Modified: 2013-12-24
for the query below should I be using CFQUERYPARAM?

The ClientStatusID will not be a variable. it will always be as shown.

SELECT     m.IMailID, m.ClientID, m.EnvelopeImagePath, m.EnvelopeImageStatus, m.EnvelopeImageName, u.UserID, u.FirstName, u.LastName, u.UserEmail,
                      m.EnvelopeAlertDate ,(select count(*) from imail.tblIMail where ClientID = u.ClientID) as documentCount, c.ClientStatusID
FROM         imail.tblIMail AS m INNER JOIN
                      imail.tblClients AS c ON m.ClientID = c.ClientID INNER JOIN
                      imail.tblUsers AS u ON c.ClientID = u.ClientID
WHERE  (c.ClientStatusID = 1 or c.ClientStatusID = 2)
AND NOT EXists (SELECT act.UserID
                   FROM imail.tbliMailActions act
                   where act.UserID  = u.UserID
                              and act.IMailID = m.IMailID)
0
Comment
Question by:Shawn
  • 3
  • 2
6 Comments
 
LVL 19

Expert Comment

by:erikTsomik
ID: 36552103
well I would be using <cfqueryparam to prevent the sql injection and security purposes

0
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 36552145
No.  

You only need to use cfqueryparam when the query uses variable or user supplied input. If neither of those are true, you don't need cfqueryparam.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 36552167
>> WHERE  (c.ClientStatusID = 1 or c.ClientStatusID = 2)

Having absolutely nothing to do with your question ;-) you could increase readability by rewriting it as:

     WHERE  c.ClientStatusID IN (1,2)
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Closing Comment

by:Shawn
ID: 36552231
thanks agx. that's what i thought but wasn't sure.

also thx for the query pointer. changed and is now easier to follow :-)
0
 
LVL 52

Expert Comment

by:_agx_
ID: 36552270
The primary reasons for using it are
A) performance/caching
B) defense against sql injection
C) data type checking

I used to do it myself, but then discovered there's no benefit with constants.
A) If the values don't change the db will cache the query plan without cfqueryparam's help
B) Since they're not user supplied, there's nothing to defend against. Unless it's yourself. But then you've got bigger problems than cfqueryparam can fix.
C) Doesn't apply with constants
0
 
LVL 1

Author Comment

by:Shawn
ID: 36552311
good set of rules. I shouldn't have any more doubts. :)
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Has my website been infiltrated? 21 68
ip / url redirect 13 73
Question to locate the problem 18 127
coldfusion grab more the one form field to make an insert 3 48
Hi, Even though I have created this Tutorial on My personal Blog, Some people might not able to find my website, So here i am posting it again Today, from the topic it is very clear that i will be showing you here the very basic usage of how we …
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question