Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
CFQUERY Question
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:58459#317604
> can I fix it?
You can, but shouldn't. Constructing raw SQL strings is dangerous, security
wise.
I expect your real use case is more complex, but rewriting it to :
<cfquery name="insert" datasource="#DSN#">
INSERT INTO users(userName) VALUES(<cfqueryparam value="andrew"/>)
</cfquery>
is trivial.
--
Tom Chiverton
Helping to synergistically negotiate fourth-generation next-generation metrics
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office together with a list of those
non members who are referred to as partners. We use the word ?partner? to refer
to a member of the LLP, or an employee or consultant with equivalent standing and
qualifications. Regulated by the Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit
www.halliwells.com.
Author: Ian Skinner
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:58459#317534
Andrew Tegenkamp wrote:
> Why is this
Because CF automatically escapes all single quotes in variables used
inside of a <CFQUERY...> block.
> and can I fix it?
Use the perserveSingleQuotes() function whose purpose is to over ride
this default behavior.
Just be aware that if you are not careful, it is really easy to open
yourself up to all kinds of potential for SQL injection attacks with
this kind of functionality.
Author: Andrew Tegenkamp
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:58459#317533
I have a SQL statement that is easier to build and save as a variable but it
throws an error when I do this:
<cfset strSQL2 = "INSERT INTO users(userName) VALUES('andrew')">
<cfquery name="insert" datasource="#DSN#">
#strSQL2#
</cfquery>
The error says it is trying to insert the values with two '':
SQL: INSERT INTO users(userName) VALUES(''andrew'')
If I put the SQL code into the CFQUERY tag it is fine.
Why is this and can I fix it?
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
