I have my Select Insert statement and I'm wondering if I should prevent my code from SQL injection. This code is using BULK Insert and TEMP TABLE. I have never use this before and I'm not familiar if I can/should use cfqueryparam in this case or there is something else that I can apply in this case? Here is my code:
<cfquery datasource="testDB" name="InsertBulk">
IF OBJECT_ID('tempdb..##TEMP_TBL') IS NOT NULL DROP TABLE ##TEMP_TBL;
CREATE TABLE ##TEMP_TBL (#cols#)
BULK INSERT ##TEMP_TBL
FROM 'D:\myFiles\myTXT.txt'
WITH (
FIELDTERMINATOR = '\t',
ROWTERMINATOR = '\n'
)
</cfquery>
<cfquery datasource="testDB" name="InsertUpdate">
INSERT INTO myRecords(
FIRST_NAME,
LAST_NAME,
GENDER,
DOB
)
SELECT
CASE WHEN LEN(LTRIM(RTRIM(FIRST_NAME))) <> 0 OR FIRST_NAME <> 'NULL' THEN FIRST_NAME END,
CASE WHEN LEN(LTRIM(RTRIM(LAST_NAME))) <> 0 OR LAST_NAME <> 'NULL' THEN LAST_NAME END,
CASE WHEN LEN(LTRIM(RTRIM(GENDER))) <> 0 OR GENDER <> 'NULL' THEN GENDER END,
CASE WHEN LEN(LTRIM(RTRIM(BIRTH_DATE))) <> 0 OR BIRTH_DATE <> 'NULL' THEN BIRTH_DATE END
FROM ##TEMP_TBL AS TempInsert
WHERE NOT EXISTS (
SELECT *
FROM myRecords AS Dups
WHERE Dups.userID = TempInsert.user_ID
)
UPDATE Records
SET
Records.FIRST_NAME = CASE WHEN LEN(LTRIM(RTRIM(Temp.FIRST_NAME))) <> 0 OR Temp.FIRST_NAME <> 'NULL' THEN Temp.FIRST_NAME END,
Records.LAST_NAME = CASE WHEN LEN(LTRIM(RTRIM(Temp.LAST_NAME))) <> 0 OR Temp.LAST_NAME <> 'NULL' THEN Temp.LAST_NAME END,
Records.GENDER = CASE WHEN LEN(LTRIM(RTRIM(Temp.GENDER))) <> 0 OR Temp.GENDER <> 'NULL' THEN Temp.GENDER END,
Records.DOB = CASE WHEN LEN(LTRIM(RTRIM(Temp.BIRTH_DATE))) <> 0 OR Temp.BIRTH_DATE <> 'NULL' THEN Temp.BIRTH_DATE END,
FROM myRecords AS Records
INNER JOIN ##TEMP_TBL AS Temp
ON Records.userID = Temp.user_ID
WHERE Records.userID = Temp.user_ID
</cfquery>
I have approached my problem using bulk because I tried to avoid using cfloop and creating multiple INSERT/UPDATE statements.
