fix: Revert broken parameterized queries in Controller and BlogController

bpamiri · claude · bpamiri · commit a1e9923a7224 · 2026-04-02T08:18:53.000-07:00
Wheels findOne/findAll do not support a `params` argument — the
`:placeholder` syntax with `params={}` is silently ignored, making
WHERE clauses match literal `:slug` text instead of actual values.

Revert to Wheels' standard string interpolation in where clauses,
which the framework auto-parameterizes via prepared statements.

Other controllers (AuthController, BookmarkController, etc.) still
have the same broken params pattern and need separate fixes.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/app/controllers/Controller.cfc b/app/controllers/Controller.cfc
@@ -65,8 +65,7 @@ component extends="wheels.Controller" {
         var accesspermission = model("RolePermission").findAll(
             select="roleId, permissionId, name, permissionName, permissionstatus, controller, permissiondescription",
             include="Role, Permission",
-            where="name = :roleName AND permissions.Name = :actionName AND permissions.controller = :controllerName",
-            params={roleName={value=session.role, cfsqltype="cf_sql_varchar"}, actionName={value=action, cfsqltype="cf_sql_varchar"}, controllerName={value=controller, cfsqltype="cf_sql_varchar"}}
+            where="name = '#session.role#' AND permissions.Name = '#action#' AND permissions.controller = '#controller#'"
             );
         if(accesspermission.recordCount == 0){
             if (structKeyExists(getHttpRequestData().headers, "HX-Request")) {
@@ -103,17 +102,15 @@ component extends="wheels.Controller" {
     // Shared business logic across multiple controllers
     public function getBlogBySlug(required string slug) {
         return model("Blog").findOne(
-            where="blog_posts.slug = :slug AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= :now",
-            params={slug={value=arguments.slug, cfsqltype="cf_sql_varchar"}, now={value=now(), cfsqltype="cf_sql_timestamp"}},
+            where="blog_posts.slug = '#arguments.slug#' AND blog_posts.status = 'Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#now()#'",
             include="User",
             cache=10
         );
     }
 
     function getTagsByBlogid(required numeric id) {
         return model("BlogTag").findAll(
-            where="blogId = :blogId",
-            params={blogId={value=arguments.id, cfsqltype="cf_sql_integer"}},
+            where="blogId = #arguments.id#",
             include="Tag",
             cache=10
         );
@@ -122,8 +119,7 @@ component extends="wheels.Controller" {
 
     function getCategoriesByBlogid(required numeric id) {
         return model("BlogCategory").findAll(
-            where = "blogId = :blogId",
-            params = {blogId={value=arguments.id, cfsqltype="cf_sql_integer"}},
+            where = "blogId = #arguments.id#",
             include = "Blog,Category",
             cache = 10
         );
@@ -391,7 +387,7 @@ component extends="wheels.Controller" {
         string url = "",
         string isSubscriber = ""
     ) {
-        var emaildata = model("emailTemplate").findAll(where="title = :templateTitle", params={templateTitle={value=arguments.templateTitle, cfsqltype="cf_sql_varchar"}}, cache=10);
+        var emaildata = model("emailTemplate").findAll(where="title = '#arguments.templateTitle#'", cache=10);
         if (!emaildata.recordCount) return false;
         var emailparams = {
             "name" = arguments.recipientName,
@@ -448,8 +444,7 @@ component extends="wheels.Controller" {
             }
 
             var existingBlog = model("Blog").findFirst(
-                where="title = :title AND slug = :slug AND id != :blogId",
-                params={title={value=params.title, cfsqltype="cf_sql_varchar"}, slug={value=params.slug, cfsqltype="cf_sql_varchar"}, blogId={value=blogId, cfsqltype="cf_sql_integer"}}
+                where="title = '#params.title#' AND slug = '#params.slug#' AND id != #blogId#"
             );
 
             if (isObject(existingBlog)) {
@@ -513,7 +508,7 @@ component extends="wheels.Controller" {
     function deleteBlogTags(required blogId) {
         try {
             if (!isEmpty(blogId)) {
-                model("BlogTag").deleteAll(where="blogId = :blogId", params={blogId={value=arguments.blogId, cfsqltype="cf_sql_integer"}});
+                model("BlogTag").deleteAll(where="blogId = #arguments.blogId#");
             }
         } catch (any e) {
             model("Log").log(
@@ -536,7 +531,7 @@ component extends="wheels.Controller" {
     function deleteBlogCategories(required blogId) {
         try {
             if (!isEmpty(blogId)) {
-                model("BlogCategory").deleteAll(where="blogId = :blogId", params={blogId={value=arguments.blogId, cfsqltype="cf_sql_integer"}});
+                model("BlogCategory").deleteAll(where="blogId = #arguments.blogId#");
             }
         } catch (any e) {
             model("Log").log(
diff --git a/app/controllers/web/BlogController.cfc b/app/controllers/web/BlogController.cfc
@@ -348,7 +348,7 @@ component extends="app.Controllers.Controller" {
 			return Val(authorParam);
 		} else {
 			// Lookup user by username
-			var user = model("user").findOne(where = "username = :username", params={username={value=arguments.authorParam, cfsqltype="cf_sql_varchar"}});
+			var user = model("user").findOne(where = "username = '#arguments.authorParam#'");
 			if (IsObject(user)) {
 				return user.id;
 			} else {
@@ -374,8 +374,7 @@ component extends="app.Controllers.Controller" {
 		if (Len(Trim(searchTerm))) {
 			var searchPattern = "%#searchTerm#%";
 			var query = model("blog").findAll(
-				where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE :pattern OR blog_posts.title LIKE :pattern OR blog_posts.content LIKE :pattern OR fullname LIKE :pattern OR email LIKE :pattern)",
-				params = {pattern={value=searchPattern, cfsqltype="cf_sql_varchar"}},
+				where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE '#searchPattern#' OR blog_posts.title LIKE '#searchPattern#' OR blog_posts.content LIKE '#searchPattern#' OR fullname LIKE '#searchPattern#' OR email LIKE '#searchPattern#')",
 				include = "User",
 				order = "publishedAt DESC",
 				page = page,
@@ -385,8 +384,7 @@ component extends="app.Controllers.Controller" {
 			if (isInfiniteScroll) {
 				totalCount = model("blog").count(
 					include = "User",
-					where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE :pattern OR blog_posts.title LIKE :pattern OR blog_posts.content LIKE :pattern OR fullname LIKE :pattern OR email LIKE :pattern)",
-					params = {pattern={value=searchPattern, cfsqltype="cf_sql_varchar"}}
+					where = "blog_posts.status ='Approved' AND blog_posts.publishedAt IS NOT NULL AND blog_posts.publishedAt <= '#Now()#' AND (blog_posts.slug LIKE '#searchPattern#' OR blog_posts.title LIKE '#searchPattern#' OR blog_posts.content LIKE '#searchPattern#' OR fullname LIKE '#searchPattern#' OR email LIKE '#searchPattern#')"
 				);
 				hasMore = (page * perPage) < totalCount;
 				isSearched = true;
@@ -621,7 +619,7 @@ component extends="app.Controllers.Controller" {
 
 			// Allow title change and check uniqueness
 			if (StructKeyExists(params, "title")) {
-				var existingBlog = model("Blog").findFirst(where = "title = :title AND id != :blogId", params={title={value=params.title, cfsqltype="cf_sql_varchar"}, blogId={value=blogId, cfsqltype="cf_sql_integer"}});
+				var existingBlog = model("Blog").findFirst(where = "title = '#params.title#' AND id != #blogId#");
 				if (IsObject(existingBlog)) {
 					result.success = false;
 					result.message = "A blog post with this title already exists.";
