Cannot find syntax error in Coldfusion query

Question

I do not understand why I am getting this error. I am using a cfform to send data from one html page to the next. See below. Another thing I am noticing is that the first two characters of the angle_changes string are cut off. It should be '0a0a0a0a' but '0a0a0a' gets passed in the error message.

Here is the relevant html/Javascript code from spatialforaging.cfm:

<!---all of these get passed from a previous page using cfoutput, except for angle_changes--->
<cfform action="field_transition.cfm" method="post" name="field_form"> 
<cfinput type="hidden" id="angle_changes" name="angle_changes" value="">
<cfinput type="hidden" id="subject_id" name="subject_id" value=#subject_id#>
<cfinput type="hidden" id="times_switched_away" name="times_switched_away" value=#times_switched_away#>
<cfinput type="hidden" id="total_time_unfocused" name="total_time_unfocused" value=#total_time_unfocused#>
<cfinput type="hidden" id="completed_fields" name="completed_fields" value="">

</cfform> 

Script

//these values get changed earlier in the script
document.getElementById("times_switched_away").value = times_switched_away;
document.getElementById("total_time_unfocused").value = total_time_unfocused;
document.getElementById("completed_fields").value = completed_fields.toString();


//angleChanges is an array containing integers which is created elsewhere in the script
var angleChangesFormString = document.getElementById("angle_changes").value;

//adding each angle change to a string to add to database
for (i=0; i < angleChanges.length; i++) {
    angleChangesFormString += angleChanges[i].toString();
    angleChangesFormString += "a";
}
    
angleChangesFormString = angleChangesFormString.replace("undefined","");
document.getElementById("angle_changes").value = angleChangesFormString;
//this does print the correct value of '0a0a0a0a' to alert
alert(document.getElementById("angle_changes").value);
document.getElementById("field_form").submit();

Below are the queries from field_transition.cfm

<cfquery datasource="exmind">
    update dbo.sf
    set completed_fields = #completed_fields#
    where subject_id = #subject_id#
</cfquery>

<cfquery datasource="exmind">
    update dbo.sf
    set times_switched_away = #times_switched_away#, total_time_unfocused = #total_time_unfocused#
    where subject_id = #subject_id#
</cfquery>

    <!---the first two queries work fine and update the database properly--->
    <!---but this one gives the error message below.--->
    <!---I do not see a syntax error, it is formatted exactly like the two queries above which work fine--->
<cfquery datasource="exmind">
    update dbo.sf
    set angle_changes = #angle_changes#
    where subject_id = #subject_id#
</cfquery>

Error Message:

Error Executing Database Query.

[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near 'a0a0a0a'.

The error occurred in C:REDACTED/field_transition.cfm: line 64

62 : update dbo.sf

63 : set angle_changes = #angle_changes#

64 : where subject_id = #subject_id#

65 :

66 :

VENDORERRORCODE 102

SQLSTATE HY000

SQL update dbo.sf set angle_changes = 0a0a0a0a where subject_id = 523550

DATASOURCE exmind

Answer 1

I think the issue is that you are not using <cfqueryparam>.

The field you are trying to update looks like a string field.

<cfquery datasource="exmind">
    update dbo.sf
    set angle_changes = <cfqueryparam value="#angle_changes#" cfsqltype="cf_sql_varchar">
    where subject_id = <cfqueryparam value="#angle_changes#" cfsqltype="cf_sql_integer">
</cfquery>

When trying to update a varchar/char/text database field the query should look like the following(with the quotes) set angle_changes = '0a0a0a0a'. <cfqueryparam> something similar in a better way.

<cfqueryparam> improves the security of you code by preventing SQL injection.