CFQUERY Question

I have a SQL statement that is easier to build and save as a variable but it throws an error when I do this: <cfset strSQL2 = "INSERT INTO users(userName) VALUES('andrew')"> <cfquery name="insert" datasource="#DSN#">   #strSQL2# </cfquery> The error says it is trying to insert the values with two '': SQL: INSERT INTO users(userName) VALUES(''andrew'') If I put the SQL code into the CFQUERY tag it is fine. Why is this and can I fix it?

Andrew Tegenkamp wrote: > Why is this Because CF automatically escapes all single quotes in variables used inside of a <CFQUERY...> block. > and can I fix it? Use the perserveSingleQuotes() function whose purpose is to over ride this default behavior. Just be aware that if you are not careful, it is really easy to open yourself up to all kinds of potential for SQL injection attacks with this kind of functionality.

> can I fix it? You can, but shouldn't. Constructing raw SQL strings is dangerous, security wise. I expect your real use case is more complex, but rewriting it to : <cfquery name="insert" datasource="#DSN#">         INSERT INTO users(userName) VALUES(<cfqueryparam value="andrew"/>) </cfquery> is trivial. -- Tom Chiverton Helping to synergistically negotiate fourth-generation next-generation metrics **************************************************** This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB.  A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners.  We use the word ?partner? to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged.  If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents.   If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.com.