Alan asks:
I have a search that I want to run on various fields, but then I also want to save that search, so that when the person returns to the page... the old search query is re-run, until they either log off or perofrm a different search.
My dilemma lies in how to do this 'securely'.
I can cfset some variable to the query, perform the query and then save it in my client or session scope... however in cfsetting the query variable outside the cfquery tags, I cannot use cfqueryparam to make it secure. Any ideas? How would I perform a custom query and save it for reuse... while being secure?
I think you are overthinking this a bit. If you store their last search in a variable like session.lastsearch, then your search form page could do something as simple as this:
<cfif not structKeyExists(form, "search") and structKeyExists(session, "search")>
<cfset form.search = session.search>
</cfif>
When the user lands on the page and they had searched before, the code above will set the current search equal to the last search. It also correctly notices that you aren't searching for someone new.
At this point, you call whatever code you have that performs the search, which darn well better use cfqueryparam of course.
Now let me address something you said: "cfsetting the query variable outside the cfquery tags, I cannot use cfqueryparam to make it secure"
I'm not quite sure what you mean by this - but just because you create some variable elsewhere, it does not impact your ability to use that variable inside a cfqueryparam tag.
Archived Comments
Hi Ray,
What I meant is that if I have a custom search I'm saving as a query variable to execute to do the query, I can't do something like this...
<cfset SavingMyQuery = "Select * from Table
Where <cfquerparam value="aVariable" cfsqltype="CF_SQL_VARCHAR">
AND <cfquerparam value="bVariable" cfsqltype="CF_SQL_VARCHAR">
AND <cfquerparam value="cVariable" cfsqltype="CF_SQL_VARCHAR">">
I would want to use cfqueryparam, however I cannot..since CF bombs when <cfquerparam> is not directly used within a <cfquery> tag... Does that make more sense? I want to use cfqueryparam, but can't seem to figure out how if I plan to save and reuse the query.
Why save the SQL though? Why not just save the search term?
There are lots and lots of search variables... so it boils into a fairly lengthy list.
So there's not necessarily a simple way to just save the query, but I see what you are saying. I could potentially save each search variable into a scope, and then build the SQL statement rather than saving a single variable that IS the SQL statement.
Bummer there isn't a simpler option, but I think that might do the trick...
thanks,
alan
I still think you are overdoing it a bit. Even if there are 10 variables, you can copy them into the session scope easily enough, and copy them into the form scope as I described above.
Ahhh.. .now I get it, save the whole form. Cool. Thanks Ray!
Since the form is basically a struct, why not just save the form to a session var? Then it would be alot easier and alot less code than saving each form var individually.