why isn't this coldfusion query not working?

Question

I am having an issue with trying to update an SQL table with this cfquery. Here is the code in cold fusion:

    <CFSET dateTimes=DateFormat(Now(),"mm\dd\yyyy")>
    <CFQUERY NAME="updateTime" DATASOURCE="#this_datasource#">
        UPDATE users
        SET ACTIVITYDATE = CAST(#dateTimes# AS smalldatetime)
        WHERE username = '#Form.login_username#'
        AND Password = '#Form.Password#'
    </CFQUERY>

When trying to execute this it gives me this:

    Error Executing Database Query. [Macromedia][SQLServer JDBC Driver]   [SQLServer]Incorrect syntax near '\25'. 
    The error occurred on line 19.

Also another thing is the type of sal_var the ACTIVITYDATE is smalldatetime. I have also tried doing it without the cast and just doing the plain #dateTimes# var. I have also tried the cfqueryparam which also did not work. Thank you in advance for your help!

Answer 1

The cfqueryparam cfsqltype to use for SQL Server datetime / smalldatetime values is cf_sql_timestamp. You can re-write the code as follows:

<CFSET dateTimes=DateFormat(Now(),"mm/dd/yyyy")>
<CFQUERY NAME="updateTime" DATASOURCE="#this_datasource#">
    UPDATE users
    SET ACTIVITYDATE = <cfqueryparam value="#dateTimes#" cfsqltype="cf_sql_timestamp">
    WHERE username = <cfqueryparam value="#Form.login_username#" cfsqltype="cf_sql_varchar">
    AND Password = <cfqueryparam value="#Form.Password#" cfsqltype="cf_sql_varchar">;
</CFQUERY>

Using cfqueryparam is recommended to avoid SQL injection vulnerabilities.

See: https://wikidocs.adobe.com/wiki/display/coldfusionen/cfqueryparam

Answer 2

Change this:

SET ACTIVITYDATE = CAST(#dateTimes# AS smalldatetime)

to this:

SET ACTIVITYDATE = GetDate()

or, if you don't want the time component

SET ACTIVITYDATE = cast(GetDate() as date)

While you can send a ColdFusion variable, it's not necessary so why bother?