Pete FreitagIs maxlength necessary in cfqueryparam with timestamps?
By Pete Freitag
Jakob Ward recently posted an interesting question to the CFML slack channel:
Is there a point to setting maxlength for a timestamp value in cfqueryparam? Or can this be ignored safely?
My guess was that cfqueryparam would ignore the maxlength attribute when the cfsqltype is timestamp (or cf_sql_timestamp if you like to type). But I wasn't sure, so I conducted a quick test with this code:
<cfset news = queryNew("id,title,datePublished",
"integer,varchar,Timestamp",
{"id":1,"title":"Dewey defeats Truman", "datePublished":now()})>
<cfquery dbtype="query" name="sub">
SELECT * FROM news
WHERE datePublished <= <cfqueryparam value="#now()#" cfsqltype="timestamp" maxlength="1">
</cfquery>
You can run the above code using trycf on ColdFusion 2018 or Lucee 5.
On Lucee
We get an exception on the above code:
value [{ts '2021-01-20 16:59:24'}] is too large, defined maxlength is [1] but length of value is [26] on line 7
If we change the maxlength value to 26, the code runs without error on Lucee. So it appears that Lucee is always checking the length of the value, in this case it is using the string representation of the date object: {ts '2021-01-20 16:59:24'}
On Adobe ColdFusion
It appears to ignore the maxlength attribute of cfqueryparam tag when cfsqltype is timestamp, the code runs without error.
Is maxlength necessary in cfqueryparam with timestamps? was first published on January 20, 2021.
If you like reading about lucee, coldfusion, or cfqueryparam then you might also like:
- OpenSSL and ColdFusion / Lucee / Tomcat
- How Long Has Your ColdFusion Server Been Running?
- Simple Parallel Execution in ColdFusion or Lucee
- Spring4Shell and ColdFusion
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.