Handling cfqueryparam errors in ColdFusion queries

<cfqueryparam> is ColdFusion's way of fighting against SQL injection attacks. If, however, you just put <cfqueryparam> in your SQL or MySQL query, people entering the wrong type of input will get a server-side error message, which will make them think your website is messed up instead of realizing they put in the wrong type of input.

If you use <cfcatch>, be sure to specify that the type is database if you want to be able to display your own error message.

Here's an example:

<cftry>
<cfquery name="somequeryname" datasource="somedatasource">
SELECT somefield
FROM somedatabase
WHERE someotherfield = <cfqueryparam
value="#formname.someotherfieldname#"
cfsqltype="CF_SQL_INTEGER"
maxlength="12">
</cfquery>
<cfcatch type="database">
yoursupercoolandinformativeerrormessage
</cfcatch>
</cftry>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.