ColdFusion在字符串中构造数据库查询时添加额外的引号 [英] ColdFusion adding extra quotes when constructing database queries in strings

问题描述

我在ColdFusion编码，但试图留在cfscript，所以我有一个函数，允许我传递一个查询来运行它与

< cfquery blah>
＃查询＃
< / cfquery>

code> sql =SELECT * FROM a WHERE b ='＃c＃'并传递，ColdFusion已经用2个单引号替换了单引号。因此它在最终查询中变成 WHERE b ='c''。

很多不同的方式，但我不能让它离开只是一个报价。即使做一个字符串替换也没有效果。

任何想法为什么会发生这种情况？

解决方案

ColdFusion根据设计，在插值时转义单引号< cfquery> 标签中的变量。

要执行所需操作，您需要使用 PreserveSingleQuotes（） function。

 < cfquery ...> #PreserveSingleQuotes（query）＃< / cfquery> 
  

然而，这并不能解决你自己暴露的SQL注入的危险。 / p>

使用 < cfqueryparam> 还允许您的数据库缓存查询，这在大多数情况下会提高性能。

了解旧的Ben Forta栏，以及 Brad Wood的最新帖子，了解有关使用< cfqueryparam> 的好处的更多信息。

I am coding in ColdFusion, but trying to stay in cfscript, so I have a function that allows me to pass in a query to run it with <cfquery blah > #query# </cfquery>

Somehow though, when I construct my queries with sql = "SELECT * FROM a WHERE b='#c#'" and pass it in, ColdFusion has replaced the single quotes with 2 single quotes. so it becomes WHERE b=''c'' in the final query.

I have tried creating the strings a lot of different ways, but I cannot get it to leave just one quote. Even doing a string replace has no effect.

Any idea why this is happening? It is ruining my hopes of living in cfscript for the duration of this project

解决方案

ColdFusion, by design, escapes single quotes when interpolating variables within <cfquery> tags.

To do what you want, you need to use the PreserveSingleQuotes() function.

<cfquery ...>#PreserveSingleQuotes(query)#</cfquery>

This doesn't address, however, the danger of SQL injection to which you are exposing yourself.

Using <cfqueryparam> also allows your database to cache the query, which in most cases will improve performance.

It might be helpful to read an old Ben Forta column and a recent post by Brad Wood for more information about the benefits of using <cfqueryparam>.

这篇关于ColdFusion在字符串中构造数据库查询时添加额外的引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！