cfqueryparam pass in list from input checkbox

Question

I have a input checkbox field where user can select multiple checkboxes in a form, and depending on what they select, it will create a string of id's like 10,14,35,47, and that will be submitted to the database. I can get this submitted if I just submit it directly like below:

user_job_type_id="#form.user_job_type_id#",

But, if I try and wrap that in a cfqueryparam, which I would rather do to make it more secure, I get an error, regardless of what I do. Whether I set it to a list true or false, varchar, integer, everything throws an error like cfqueryparam doesnt accept the list.

For example, below will not work

user_job_type_id=<cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#form.user_job_type_id#" list="Yes"/>,

What am I missing here?

Answer 1

As @SOS mentioned, you need to use an IN statement when checking against a list of values in parenthesis. In addition, since the values are all integers, make sure to specify the correct cfsqltype. This ensures the correct date type check for each element in the list.

Wrong:

user_job_type_id = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#form.user_job_type_id#" list="Yes"/>,

Better:

user_job_type_id IN (<cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#form.user_job_type_id#" list="Yes"/>),

Best:

user_job_type_id IN (<cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#form.user_job_type_id#" list="Yes"/>),