Do I have to cfqueryparam or scope values from a query when I'm looping through it?

Question

I'm was sitting forever on a Coldfusion8 INSERT into MySQL (5.0.88)

The data came from a query named "q" like so:

[Record # 1] 
ILN_KAEUFER: 9900000002985 
ILN_VERKAEUFER: 9900000003005 

Then I want to make an INSERT like so:

<cfloop query="q">
     <cfquery datasource="db">
         INSERT INTO table_a ( 
            iln_kaeufer, 
            iln_verkaeufer
         )
         VALUES(
            "#iln_kaeufer#", 
            "#iln_verkaeufer#"
        )
      </cfquery>
 </cfloop> 

This is the only way I can make it work. I first tried to scope both values like so:

 "#q.iln_kaeufer#", 
 "#q.iln_verkaeufer#"

And before that I was using cfqueryparam aswell like so:

  <cfqueryparam value="#q.iln_kaeufer#" cfsqltype="cf_sql_varchar" maxlength="13">
  <cfqueryparam value="#q.iln_verkaeufer#" cfsqltype="cf_sql_varchar" maxlength="13">

Both just produced an error.

I guess this has been asked before, but I did not find a good explanation on when I can/should use CFQUERYPARAM and when not and when to SCOPE and when not.

I always try to param&scope everything and this was the last thing I was looking for as being a mistake.

Thanks for shedding some insights!

Answer 1

So you should always scope where possible, as it saves some overhead on ColdFusion having to backtrack through all the scopes until it finds your variable.

And in this case, even though your data is coming directly from the database, you should still use cfqueryparam. The protection against SQL injection is just one benefit of using cfqueryparam; it also helps with query performance: http://adamcameroncoldfusion.blogspot.co.uk/2012/07/what-one-can-and-cannot-do-with.html

This should work:

<cfloop query="q">
     <cfquery datasource="db">
         INSERT INTO table_a ( 
            iln_kaeufer, 
            iln_verkaeufer
         )
         VALUES(
            <cfqueryparam value="#q.iln_kaeufer#" cfsqltype="cf_sql_varchar" maxlength="13">,  // your code didn't have a comma here when using cfqueryparam?
            <cfqueryparam value="#q.iln_verkaeufer#" cfsqltype="cf_sql_varchar" maxlength="13">
        )
      </cfquery>
 </cfloop> 

And if not I'd say check the column types and sizes. If that's still not it, it might be an issue with having a query inside another query as you're looping over it. You could try the other way to loop round it:

<cfloop index="i" from="1" to="#q.recordcount#">
  use #q.column[i]#
</cfloop>

Answer 2

Of course you should always use explicit scopes, and use parameterized queries (cfqueryparam), for many reasons.

Using cfqueryparam protects against sql injection, allows prepared statements and makes the world a better place. Scoping correctly may gain you some performance, but most of all, its better practice, allowing code to be read faster, since you're not trying to figure out which variable came from where.

What error did the mysql query with cfqueryparam raise ?