使用 CFQUERYPARAM 更新查询不更新整数字段
Update query not updating integer fields using CFQUERYPARAM
我有一个简单的更新查询,只涉及一个 table。我首先在没有使用 CFQUERYPARAM 的情况下编写了此代码,并且在整数字段(zip、plus 4 等)为空时不断出现错误。因此,我使用 CFQUERYPARAM 重写,以便空值不会产生错误。现在,当我在整数字段中输入内容时,数据不会被保存。
我错过了什么?
谢谢
DW
<cfquery name="updt_person" datasource="#application.datasource#">
UPDATE tblperson
SET
firstname = '#form.firstname#',
lastname = '#form.lastname#',
address_line_1 = '#form.address_line_1#',
address_line_2 = '#form.address_line_2#',
city = '#form.city#',
stateid = #form.stateid#,
zip = <cfqueryparam value = "#form.zip#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
plus4 = <cfqueryparam value = "#form.plus4#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
area_code = <cfqueryparam value = "#form.area_code#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
prefix = <cfqueryparam value = "#form.prefix#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
suffix = <cfqueryparam value = "#form.suffix#" cfsqltype = "CF_SQL_INTEGER" null = "yes">
WHERE personid = #get_personid.personid#
</cfquery>
第一件事。当您在查询中使用它时,请对所有用户输入使用 cfqueryparam。字段 #form.firstname#, #form.lastname#, etc 都应该在 cfqueryparam 中以防止 SQL 注入。
您在这里遇到的问题是错误使用了 cfqueryparam 标签的 NULL 属性。
null 参数应该是一个结果为 true 或 false 的表达式。如果直接提供 yes 作为值,那么结果会变成这样。
suffix = NULL
现在,让我们看看如何使用 null 属性。
<cfqueryparam
value = "#form.suffix#"
cfsqltype = "CF_SQL_INTEGER"
null = "#len(trim(form.suffix)) EQ 0#"
>
如果 form.suffix 为空,以上内容将确保 NULL 作为列值传递。您可以根据您的应用程序逻辑更改此验证。
此外,较新的版本 (CF 11+) 不需要 type 属性中的 CF_SQL_ 前缀。
所以最终的查询应该是这样的。
<cfquery name="updt_person" datasource="#application.datasource#">
UPDATE tblperson
SET
firstname = <cfqueryparam value = "#form.firstname#" cfsqltype = "VARCHAR">,
lastname = <cfqueryparam value = "#form.lastname#" cfsqltype = "VARCHAR">,
address_line_1 = <cfqueryparam value = "#form.address_line_1#" cfsqltype = "VARCHAR">,
address_line_2 = <cfqueryparam value = "#form.address_line_2#" cfsqltype = "VARCHAR">,
city = <cfqueryparam value = "#form.city#" cfsqltype = "VARCHAR">,
stateid = <cfqueryparam value = "#form.stateid#" cfsqltype = "VARCHAR">,
zip = <cfqueryparam value = "#form.zip#" cfsqltype = "INTEGER" null = "#len(trim(form.zip)) EQ 0#">,
plus4 = <cfqueryparam value = "#form.plus4#" cfsqltype = "INTEGER" null = "#len(trim(form.plus4)) EQ 0#">,
area_code = <cfqueryparam value = "#form.area_code#" cfsqltype = "INTEGER" null = "#len(trim(form.area_code)) EQ 0#">,
prefix = <cfqueryparam value = "#form.prefix#" cfsqltype = "INTEGER" null = "#len(trim(form.prefix)) EQ 0#">,
suffix = <cfqueryparam value = "#form.suffix#" cfsqltype = "INTEGER" null = "#len(trim(form.suffix)) EQ 0#">
WHERE personid = <cfqueryparam value = "#get_personid.personid#" cfsqltype = "INTEGER">
</cfquery>
我有一个简单的更新查询,只涉及一个 table。我首先在没有使用 CFQUERYPARAM 的情况下编写了此代码,并且在整数字段(zip、plus 4 等)为空时不断出现错误。因此,我使用 CFQUERYPARAM 重写,以便空值不会产生错误。现在,当我在整数字段中输入内容时,数据不会被保存。
我错过了什么?
谢谢
DW
<cfquery name="updt_person" datasource="#application.datasource#">
UPDATE tblperson
SET
firstname = '#form.firstname#',
lastname = '#form.lastname#',
address_line_1 = '#form.address_line_1#',
address_line_2 = '#form.address_line_2#',
city = '#form.city#',
stateid = #form.stateid#,
zip = <cfqueryparam value = "#form.zip#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
plus4 = <cfqueryparam value = "#form.plus4#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
area_code = <cfqueryparam value = "#form.area_code#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
prefix = <cfqueryparam value = "#form.prefix#" cfsqltype = "CF_SQL_INTEGER" null = "yes">,
suffix = <cfqueryparam value = "#form.suffix#" cfsqltype = "CF_SQL_INTEGER" null = "yes">
WHERE personid = #get_personid.personid#
</cfquery>
第一件事。当您在查询中使用它时,请对所有用户输入使用 cfqueryparam。字段 #form.firstname#, #form.lastname#, etc 都应该在 cfqueryparam 中以防止 SQL 注入。
您在这里遇到的问题是错误使用了 cfqueryparam 标签的 NULL 属性。
null 参数应该是一个结果为 true 或 false 的表达式。如果直接提供 yes 作为值,那么结果会变成这样。
suffix = NULL
现在,让我们看看如何使用 null 属性。
<cfqueryparam
value = "#form.suffix#"
cfsqltype = "CF_SQL_INTEGER"
null = "#len(trim(form.suffix)) EQ 0#"
>
如果 form.suffix 为空,以上内容将确保 NULL 作为列值传递。您可以根据您的应用程序逻辑更改此验证。
此外,较新的版本 (CF 11+) 不需要 type 属性中的 CF_SQL_ 前缀。
所以最终的查询应该是这样的。
<cfquery name="updt_person" datasource="#application.datasource#">
UPDATE tblperson
SET
firstname = <cfqueryparam value = "#form.firstname#" cfsqltype = "VARCHAR">,
lastname = <cfqueryparam value = "#form.lastname#" cfsqltype = "VARCHAR">,
address_line_1 = <cfqueryparam value = "#form.address_line_1#" cfsqltype = "VARCHAR">,
address_line_2 = <cfqueryparam value = "#form.address_line_2#" cfsqltype = "VARCHAR">,
city = <cfqueryparam value = "#form.city#" cfsqltype = "VARCHAR">,
stateid = <cfqueryparam value = "#form.stateid#" cfsqltype = "VARCHAR">,
zip = <cfqueryparam value = "#form.zip#" cfsqltype = "INTEGER" null = "#len(trim(form.zip)) EQ 0#">,
plus4 = <cfqueryparam value = "#form.plus4#" cfsqltype = "INTEGER" null = "#len(trim(form.plus4)) EQ 0#">,
area_code = <cfqueryparam value = "#form.area_code#" cfsqltype = "INTEGER" null = "#len(trim(form.area_code)) EQ 0#">,
prefix = <cfqueryparam value = "#form.prefix#" cfsqltype = "INTEGER" null = "#len(trim(form.prefix)) EQ 0#">,
suffix = <cfqueryparam value = "#form.suffix#" cfsqltype = "INTEGER" null = "#len(trim(form.suffix)) EQ 0#">
WHERE personid = <cfqueryparam value = "#get_personid.personid#" cfsqltype = "INTEGER">
</cfquery>