Don't Omit Those Pound Signs

What is the difference between “WHERE pk=#pk#” and WHERE “pk=pk”? Lots. The former compares a database column to a ColdFusion variable (and will likely match a single row, if the primary key is specified). The latter compares the value in each column to itself, in other words, it matches every single row in the table. Both are valid SQL (so neither will throw an error) but the rows that will match the two conditions will be very different indeed. Now imagine that the WHERE clause comes after the SQL text “DELETE FROM table” and you’ll understand why checking that you have pound signs where you need them is a must before you execute any SQL ever. (Applies to: ColdFusion All)

Leave a Reply