Simple guide to switching to CFQUERYPARAM

I've had a few requests to quickly review how to switch a dynamic query not using cfqueryparam to one that is using cfqueryparam. I've covered the reasons for using them many times (basically sql injection and performance). There are also things you lose (like ColdFusion's built in query caching). With that in mind - here is basic rule to consider when figuring out if you need cfqueryparam:

If any portion of the WHERE/VALUES/SET clause in a query is dynamic, the cfqueryparam tag should be used.

So here is a simple example:

<cfquery name="searchUsers" datasource="data">
select id, name, email
from users
where name like '%#form.name#%'
</cfquery>

Now here is the same query switched to cfqueryparam:

<cfquery name="searchUsers" datasource="data">
select id, name, email
from users
where name like <cfqueryparam cfsqltype="cf_sql_varchar" value="%#form.name#%">
</cfquery>

There are two things to note here. First is the cfsqltype value. This value tells the database what type of data is being passed in. There is a whole list of types that you can use. See the table on the cfQuickDocs cfqueryparam page. In general you will use:

  • cf_sql_varchar for simple strings, like my example above.
  • cf_sql_integer for simple numbers, like those used in primary keys

Another example of the power of cfqueryparam is lists. Imagine this query:

<cfquery name="searchUsers" datasource="data">
select id, name, email
from users
where usertype in (#form.categorylist#)
</cfquery>

This can be changed to cfqueryparam like so:

<cfquery name="searchUsers" datasource="data">
select id, name, email
from users
where usertype in (<cfqueryparam cfsqltype="cf_sql_integer" value="#form.categorylist#" list="true">)
</cfquery>

Lastly - I mentioned above in my "rule" (and since I called it that a few hundred of my readers will find exceptions :) that cfqueryparam should be used in the WHERE clause. You can't use it elsewhere. This query would not be a candidate for cfqueryparam usage.

<cfquery name="getSomething" datasource="data">
select #somecol#
from #sometable#
where x = 1

Comments (25) Feb 18, 2007 12:25 PM Views: 2325

Comments

[Add Comment]
Ray - It might be worth mentioning that you should use <cfqueryparam> for dynamic data when inserting and updating data.
# Posted By Scott Stroz | 2/18/07 1:00 PM
Big DUH there. Thanks Scott. I updated the main quote. Is it clear now? Should I add an update/insert example as well?
# Posted By Raymond Camden | 2/18/07 1:09 PM
I cannot remember where I saw it, but I read a blog post a few months back that would argue that the last example above would in fact be a candidate for cfqueryparam:

select #somecol#
from #sometable#
where x = <cfqueryparam value="1" />

While I can't remember who wrote it, they argued that putting the cfqueryparam in the WHERE clause in the above example would actually speed up the query by forcing the query to using value binding. So, while this is not a matter of security, apparently CFQueryParam will bring about a performance increase in simple queries.

Forgive me if this information is wrong, but it is what I recall.
# Posted By Ben Nadel | 2/18/07 3:28 PM
You can use cfqueryparam outside the WHERE too. Consider for instance:
SELECT
price * <cfqueryparam cfsqltype="cf_sql_integer" value="#form.qtty#"> AS amount
FROM
orders

You can not use cfqueryparam to substitute identifiers, but you can use it for values everywhere in the SQL Nstatement.
# Posted By Jochem van Dieten | 2/18/07 4:12 PM
Ben - while that may be true - I was using it as an example to tell folks they can't use cfqp to replace dynamic portions OUTSIDE of where/set/update.

Jochem - Good example there.
# Posted By Raymond Camden | 2/18/07 4:19 PM
Thanks for the example, I didn't realize you could use cfqueryparam with a list like that - cool!
# Posted By Rachel Maxim | 2/18/07 4:32 PM
lists, not having to remember adding quotes to my queries and it handling quotes in the data sold me on using queryparams.
# Posted By Scott P | 2/18/07 5:26 PM
I always wondered about:

select id, name, email
from users
where name like '%#form.name#%'
and active=1

Where the active is a bit column... Would it be necessary to queryparam the active bit, since it isn't really dynamic? (i.e. the form.name is likely to change for every user of the website, but the active bit might not change...)
# Posted By Geoff | 2/18/07 5:58 PM
Ben spoke to this, and while he said he wasn't 100% sure (right Ben?) I belive he is right as well.
# Posted By Raymond Camden | 2/18/07 6:06 PM
Yeah, I am not 100% sure. However, from what I can remember, it was not necessary to have all the "static" values query-paramed. So, in the above, the FORM.name value would be good as a cfqueryparam. Then, the active bit could stay as is. The point of the blog post was to show the difference between a SQL statement that had no query params and a SQL statement that had at least one. The one that had at least one SQL statement performed better.
# Posted By Ben Nadel | 2/18/07 6:54 PM
Correct me if I'm wrong but this is true in my testing.

If active was always (or most often) = 1, you would not want to use queryparam for it.

If you use SQL Server, start SQL Profiler - New Trace to see what is happening under the hood.

The SQL server is caching the query as a stored procedure. Items that are in queryparams are dynamically passed in and evaluated on every query. The other items, such as active = 1, would be built-in to the procedure.

For example, the query in CF written as:
select id, name, email
from users
where name like <cfqueryparam cfsqltype="cf_sql_varchar" value="%#form.name#%">
and active=1

would actually be passed to the sql server as:
exec sp_execute 1, 'Smith'

If you added queryparam to the active bit, it would called like this:
exec sp_execute 1, 'Smith',1

That is why there is a performance gain using queryparams (and why it is slower on first run - or if the query is not used often)
# Posted By Scott P | 2/18/07 7:03 PM
There is also the null value hack - can't remember where I saw this but it's neat:

<cfqueryparam value="#trim(form.name)#" cfsqltype="CF_SQL_VARCHAR" null="#YesNoFormat(Len(Trim(FORM.name)))#">
# Posted By Jim | 2/18/07 9:59 PM
<cfqueryparam value="#trim(form.name)#" cfsqltype="CF_SQL_VARCHAR" null="#YesNoFormat(not Len(Trim(FORM.name)))#">

(If form.name has a length, null should be "no")...
# Posted By Geoff | 2/19/07 4:07 AM
Hey, this is a test.
# Posted By Testing | 2/19/07 7:46 AM
When you are using cfqueryparam for a list, isn't the separator attribute required? So it would look something like this:

<cfqueryparam cfsqltype="cf_sql_integer" value="#form.categorylist#" list="true" separator=",">
# Posted By James, F.E. | 2/19/07 9:36 AM
Comma is the default.
# Posted By Raymond Camden | 2/19/07 9:39 AM
Thanks for this post Ray. This helps.
# Posted By Robert Owen | 2/19/07 4:03 PM
With regards to the whole CFQUERYPARAM and Caching etc etc, I've been wondering recently why CF doesn't support the two together yet BlueDragon does? How do they get round it yet CF doesn't support them together?
# Posted By johnb | 2/21/07 4:02 AM
Well, I think it is just priorities. Maybe wait and see what CF8 offers. :)
# Posted By Raymond Camden | 2/21/07 5:05 AM
What's the most elegant way to protect the following from SQL Injection?

Select * from tablename
order by #fieldname#

Since you can't put fieldname inside a cfqueryparam, currently I've only come up with testing #fieldname# inside if or case/switch statements but with a lot of fieldnames, it gets ugly.
# Posted By Vincent Collins | 9/17/07 3:29 PM
VC - That's actually what I do normally.
# Posted By Raymond Camden | 9/17/07 3:54 PM
OK, thanks Ray!
# Posted By Vincent Collins | 9/17/07 4:13 PM
I have one query that is killing me with the cfqueryparam tag. The query is a search query for products that contain words a customer is searching on. The column to be searched is a text column, so the cfqueryparam needs to be: CF_SQL_VARCHAR.
A simple version of this query would look like this:
SELECT DescribeName, RETAIL, Longdescribe
From Table
Where longdecribe like "%kids%" or longdescribe like "%toy%" or longdescribe like "%8%" or longdescribe like "%years%" or longdescribe like "%old%"
This query would be from a customer search where they typed in "Kids toy 8 years" Then the query would return the the records with these words in them. I have the customer's search in a list. How would you convert this where statement to using the cfqueryparam tag?

Thanks for any help.
# Posted By Eric Bader | 10/21/07 6:02 PM
Just cfloop over the value like a list.

cfloop index="word" list="#form.something#"
# Posted By Raymond Camden | 10/22/07 1:25 PM
I saw how you and Vincent Collins were stating that you use case/switch or if statements for testing order by parameters. I was wondering if you had an example of this. Are you just testing for data type, and business logic or are you also testing for injections?

Thanks
# Posted By Lance VL | 1/25/08 2:18 PM
[Add Comment]