In an ideal world, everyone is using qb or quick, and you really don’t know what a bind variable is. Before you discovered this ideal world, maybe you were using queryExecute and were executing queries like this one.
var q =queryExecute("Select * from users where userId = #url.UserId#");
This kind of code ( don’t do this in production ! ) is wide open for sql injection attacks. This post is not about sql injection, so we assume you were already so smart to use queryparams, so something similar to this.
var q = queryExecute(
sql="Select * from users where userId = :myId",
params = { myId: { value = rc.UserId, cfsqlType = "integer" }
)
Recent Comments