I develop a lot of applications that use dynamic queries and my SQL statements are constructed in a way that’s not conducive to enclose them in a CFQuery tag. As such, I’ve usually resorted to checking my variables myself instead of using CFQueryParam. Looking at the option “Variable Usage in Queries” in Lucee administrator, I wondered if I could set it to restrictive (throw an error) AND still build dynamic queries outside of CFQuery. So, I set out to use “Render” with CFQueryParam and was surprised that it actually worked:
<CFSet i=‘select * from junk where name=<CFQueryParam CFSQLType=“CF_SQL_VARCHAR” Value=“Ross was here”>’>
<CFQuery Name=“Recs” DataSource=“dev”>
<CFSet WriteOutput(Render(i))</CFQuery>
<CFDump Var=Recs>
I don’t know whether that ended up as a prepared statement before it got submitted to the database server or not. Debug output doesn’t show this query any differently than a hard-coded query, where as Adobe CF used to show a place holder in the query with its value after the query.
My two fold question is whether, inefficiencies aside, the query is being executed as a prepared statement and, if so, can there be an indication in the debug that it indeed was executed as such?
And thank you for creating such a wonderful implementation of the CFML language.