使用CFQUERYPARAM在SQL中指定表/列名称 [英] Use of CFQUERYPARAM to specify table/column names in SQL

问题描述

我需要动态构造一组JOIN语句，其中表和列的名称是从另一个ColdFusion查询传入的.将字符串值传递到语句时，CFQUERYPARAM会在其周围添加单引号-这是CFQUERYPARAM的要点.鉴于这破坏了SQL语句，在这种情况下不使用CFQUERYPARAM而是确保清除传入的查询是否可以接受，或者是否有办法使用CFQUERYPARAM? (我可以使用Fusebox中的电路/保险丝权限来锁定这些代码.)

I need to dynamically construct a set of JOIN statements where the table and column names are passed in from another ColdFusion query. When passing the string values to into the statement, CFQUERYPARAM adds single quotes around it - that's part of the point of CFQUERYPARAM. Given that this breaks the SQL statement, is it acceptable not to use CFQUERYPARAM in this case and instead ensure that the incoming query is cleansed, or is there a way round which allows CFQUERYPARAM to be used? (I can lock down these pieces of code using circuit/fuse permissions in Fusebox.)

谢谢.

推荐答案

cfqueryparam不添加单引号-它使用绑定变量.

cfqueryparam does not add single quotes - it uses bind variables.

我立即对动态构建一组JOIN语句"语句感到怀疑-听起来好像您在动态加入时不一定做得正确.

I am instantly suspicious of the statement "dynamically construct a set of JOIN statements" - it doesn't sound like you're necessarily doing things properly if you're dynamically joining.

但是，对于表/列名，您肯定会完全消毒-如果cfqueryparam不起作用并且您需要cf变量-然后是可以直接使用CF变量.

However, for table/column names, once you are definitely sanitizing fully - if cfqueryparam doesn't work and you need cf variables - then yes, you can use CF variables directly.

注意:为了安全地进行清理，您可以使用rereplacenocase(table_name,'[^a-z_]','','all')删除a-z和下划线以外的所有内容.

Note: To sanitize safely, you can use rereplacenocase(table_name,'[^a-z_]','','all') to remove everything other than a-z and underscore.

这篇关于使用CFQUERYPARAM在SQL中指定表/列名称的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！