Pete Freitag Pete Freitag

Is maxlength necessary in cfqueryparam with timestamps?

coldfusion

Jakob Ward recently posted an interesting question to the CFML slack channel:

Is there a point to setting maxlength for a timestamp value in cfqueryparam? Or can this be ignored safely?

My guess was that cfqueryparam would ignore the maxlength attribute when the cfsqltype is timestamp (or cf_sql_timestamp if you like to type). But I wasn't sure, so I conducted a quick test with this code:

<cfset news = queryNew("id,title,datePublished",
    "integer,varchar,Timestamp",
    {"id":1,"title":"Dewey defeats Truman", "datePublished":now()})>

<cfquery dbtype="query" name="sub">
    SELECT * FROM news
    WHERE datePublished <= <cfqueryparam value="#now()#" cfsqltype="timestamp" maxlength="1">
</cfquery>

You can run the above code using trycf on ColdFusion 2018 or Lucee 5.

On Lucee

We get an exception on the above code:

value [{ts '2021-01-20 16:59:24'}] is too large, defined maxlength is [1] but length of value is [26] on line 7

If we change the maxlength value to 26, the code runs without error on Lucee. So it appears that Lucee is always checking the length of the value, in this case it is using the string representation of the date object: {ts '2021-01-20 16:59:24'}

On Adobe ColdFusion

It appears to ignore the maxlength attribute of cfqueryparam tag when cfsqltype is timestamp, the code runs without error.


Like this? Follow me ↯

Is maxlength necessary in cfqueryparam with timestamps? was first published on January 20, 2021.

If you like reading about lucee, coldfusion, or cfqueryparam then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

Post a Comment