0

我有一个简单的更新查询,只涉及一个表。我首先在不使用 CFQUERYPARAM 的情况下编写了此代码,并且当整数字段(zip、加 4 等)为空时不断出现错误。因此,我使用 CFQUERYPARAM 重写,以便空值不会产生错误。现在,当我在整数字段中输入内容时,数据不会被保存。

我错过了什么?

谢谢

德国之声

<cfquery name="updt_person" datasource="#application.datasource#">
  UPDATE tblperson 
  SET 
    firstname = '#form.firstname#', 
    lastname = '#form.lastname#', 
    address_line_1 = '#form.address_line_1#', 
    address_line_2 = '#form.address_line_2#', 
    city = '#form.city#', 
    stateid = #form.stateid#, 
    zip = <cfqueryparam value = "#form.zip#" cfsqltype = "CF_SQL_INTEGER" null = "yes">, 
    plus4 = <cfqueryparam value = "#form.plus4#" cfsqltype = "CF_SQL_INTEGER" null = "yes">, 
    area_code = <cfqueryparam value = "#form.area_code#" cfsqltype = "CF_SQL_INTEGER" null = "yes">, 
    prefix = <cfqueryparam value = "#form.prefix#" cfsqltype = "CF_SQL_INTEGER" null = "yes">, 
    suffix = <cfqueryparam value = "#form.suffix#" cfsqltype = "CF_SQL_INTEGER" null = "yes"> 
  WHERE personid = #get_personid.personid#
</cfquery>
4

1 回答 1

4

先说第一件事。当您在查询中使用它时,请cfqueryparam对所有用户输入使用 ,。字段#form.firstname#, #form.lastname#, etc都应该在一个cfqueryparam以防止 SQL 注入。

您在这里面临的问题是标签NULL属性的错误使用。cfqueryparam

null参数应该是一个结果为trueor的表达式false。如果yes直接提供作为值,那么结果会变成这样。

suffix = NULL

现在,让我们看看如何使用null属性。

<cfqueryparam
  value = "#form.suffix#"
  cfsqltype = "CF_SQL_INTEGER"
  null = "#len(trim(form.suffix)) EQ 0#"
>

如果为空,上述内容将确保NULL作为列值传递。form.suffix您可以根据您的应用程序逻辑更改此验证。

此外,较新的版本(CF 11+)不需要属性CF_SQL_中的前缀。type

所以最终的查询应该是这样的。

<cfquery name="updt_person" datasource="#application.datasource#">
  UPDATE tblperson 
  SET 
    firstname = <cfqueryparam value = "#form.firstname#" cfsqltype = "VARCHAR">, 
    lastname = <cfqueryparam value = "#form.lastname#" cfsqltype = "VARCHAR">, 
    address_line_1 = <cfqueryparam value = "#form.address_line_1#" cfsqltype = "VARCHAR">, 
    address_line_2 = <cfqueryparam value = "#form.address_line_2#" cfsqltype = "VARCHAR">, 
    city = <cfqueryparam value = "#form.city#" cfsqltype = "VARCHAR">, 
    stateid = <cfqueryparam value = "#form.stateid#" cfsqltype = "VARCHAR">, 
    zip = <cfqueryparam value = "#form.zip#" cfsqltype = "INTEGER" null = "#len(trim(form.zip)) EQ 0#">, 
    plus4 = <cfqueryparam value = "#form.plus4#" cfsqltype = "INTEGER" null = "#len(trim(form.plus4)) EQ 0#">, 
    area_code = <cfqueryparam value = "#form.area_code#" cfsqltype = "INTEGER" null = "#len(trim(form.area_code)) EQ 0#">, 
    prefix = <cfqueryparam value = "#form.prefix#" cfsqltype = "INTEGER" null = "#len(trim(form.prefix)) EQ 0#">, 
    suffix = <cfqueryparam value = "#form.suffix#" cfsqltype = "INTEGER" null = "#len(trim(form.suffix)) EQ 0#"> 
  WHERE personid = <cfqueryparam value = "#get_personid.personid#" cfsqltype = "INTEGER">
</cfquery>
于 2020-04-07T15:56:47.440 回答