Unexpected warnings in cfquery tag

[laserbyte]

I'm using MySQL comments in my code like the following cfquery statement to track the filename and the current line number for easier cross referencing in MySQL's query log.

<cfquery name="QueryName" datasource="#datasourceName#">
    -- QueryName - #GetFileFromPath(GetCurrentTemplatePath())# #this.instance.getCurrentLineNumber()#
    select * from tablename;
</cfquery>

However when I use these I'm getting warnings like this:

<cfquery name="GetFileFromPath(GetCurrentTemplatePath())"> should use <cfqueryparam/> for security reasons.
<cfquery name="this.instance.getCurrentLineNumber()"> should use <cfqueryparam/> for security reasons.

[ryaneberly]

in #65, I changed the warning to correctly name the query.

These inline comments with hashes can still be considered a "risk". Even within SQL comments. Though your particular use of it is probably quite safe from injection. I recommend you either disable that message code entirely or on a case-by-case basis (per file, per line)

[jjames967]

Was your question answered LaserByte? It was set up as a warning to let you know that parameters should be designated as types (cf_sql_char, etc) for security reasons. http://help.adobe.com/en_US/ColdFusion/9.0/Developing/WSc3ff6d0ea77859461172e0811cbec22c24-7c36.html

[laserbyte]

I think so.

As a clarification I've been writing the queries like this now:

<cftransaction>
    <cfquery name="qSetParameter" datasource="#datasourceName#">
        SET @queryparam = <cfqueryparam value="#tablename#" />;
    </cfquery>

    <cfquery name="qGetData" datasource="#datasourceName#">
        select * from @queryparam;
    </cfquery>
</cftransaction>

Does this seem like the best approach for preventing SQL injection?

[jjames967]

<cfquery name="EmpList" datasource="cfdocexamples"> SELECT * FROM Employee WHERE Emp_ID = <cfqueryparam value = "#Emp_ID#" cfsqltype = "cf_sql_integer"> </cfquery>

adding the sql type adds the sql prevention attack.

[ryaneberly]

closing. I think this is all set