ColdFusion 在字符串中构造数据库查询时添加额外的引号 [英] ColdFusion adding extra quotes when constructing database queries in strings

问题描述

我在 ColdFusion 中编码，但试图留在 cfscript 中，所以我有一个函数允许我传入查询以运行它<代码>#询问#</cfquery>

I am coding in ColdFusion, but trying to stay in cfscript, so I have a function that allows me to pass in a query to run it with <cfquery blah > #query# </cfquery>

尽管如此，当我使用 sql = "SELECT * FROM a WHERE b='#c#'" 构造查询并将其传入时，ColdFusion 已将单引号替换为 2 个单引号.因此它在最终查询中变为 WHERE b=''c''.

Somehow though, when I construct my queries with sql = "SELECT * FROM a WHERE b='#c#'" and pass it in, ColdFusion has replaced the single quotes with 2 single quotes. so it becomes WHERE b=''c'' in the final query.

我尝试了很多不同的方法来创建字符串，但我不能让它只留下一个引号.即使进行字符串替换也没有效果.

I have tried creating the strings a lot of different ways, but I cannot get it to leave just one quote. Even doing a string replace has no effect.

知道为什么会这样吗?它破坏了我在这个项目期间生活在 cfscript 中的希望

Any idea why this is happening? It is ruining my hopes of living in cfscript for the duration of this project

推荐答案

ColdFusion 在设计上会在 <cfquery> 标签内插入变量时转义单引号.

ColdFusion, by design, escapes single quotes when interpolating variables within <cfquery> tags.

要做你想做的事，你需要使用 PreserveSingleQuotes() 函数.

To do what you want, you need to use the PreserveSingleQuotes() function.

<cfquery ...>#PreserveSingleQuotes(query)#</cfquery>

但是，这并没有解决您自己暴露在 SQL 注入中的危险.

This doesn't address, however, the danger of SQL injection to which you are exposing yourself.

使用 <cfqueryparam> 还允许您的数据库缓存查询，这在大多数情况下会提高性能.

Using <cfqueryparam> also allows your database to cache the query, which in most cases will improve performance.

阅读 旧的 Ben Forta 专栏 可能会有所帮助Brad Wood 最近的一篇文章，了解有关使用 <cfqueryparam> 的好处的更多信息.

It might be helpful to read an old Ben Forta column and a recent post by Brad Wood for more information about the benefits of using <cfqueryparam>.

这篇关于ColdFusion 在字符串中构造数据库查询时添加额外的引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！