<cfqueryparam> is ColdFusion’s way of fighting against SQL injection attacks. If, however, you just put <cfqueryparam> in your SQL or MySQL query, people entering the wrong type of input will get a server-side error message, which will make them think your website is messed up instead of realizing they put in the wrong type of input.
If you use <cfcatch>, be sure to specify that the type is database if you want to be able to display your own error message.
Here’s an example:
<cftry>
<cfquery name=”somequeryname” datasource=”somedatasource“>
SELECT somefield
FROM somedatabase
WHERE someotherfield = <cfqueryparam
value=”#formname.someotherfieldname#”
cfsqltype=”CF_SQL_INTEGER”
maxlength=”12″>
</cfquery>
<cfcatch type=”database”>
yoursupercoolandinformativeerrormessage
</cfcatch>
</cftry>
<cfquery name=”somequeryname” datasource=”somedatasource“>
SELECT somefield
FROM somedatabase
WHERE someotherfield = <cfqueryparam
value=”#formname.someotherfieldname#”
cfsqltype=”CF_SQL_INTEGER”
maxlength=”12″>
</cfquery>
<cfcatch type=”database”>
yoursupercoolandinformativeerrormessage
</cfcatch>
</cftry>
Leave a Reply