CFQUERY不正确转义单引号 [英] CFQUERY Not escaping single quotes properly
问题描述
全部,
我想在插入期间使用getter来引用bean。 CF不能正确地转义'form.title'中的单引号,因此我收到一个格式错误的sql错误。
I am trying to use a getter to reference a bean during an insert. CF is not escaping the single quote properly in the value in 'form.title' and therefore I am receiving a malformed sql error.
任何想法?
这是代码。
<cfscript>
form.title = "page's are awesome";
page = new model.page.page(argumentCollection = form);
<cfquery name="test" datasource="ksurvey">
insert into page(title)
values('#page.getTitle()#')
</cfquery>
推荐答案
如果你打算这样做,你需要preserveSingleQuotes()
If you're going to do it that way, you need preserveSingleQuotes()
INSERT INTO页面(标题)
VALUES('#preserveSingleQuotes(page.getTitle())# )
当然,您应该如何使用cfqueryparam插入标准警告,以避免SQL注入攻击。
Of course, insert the standard caveat about how you should be using cfqueryparam to avoid SQL injection attacks.
INSERT INTO页面(标题)
VALUES(< cfqueryparam value =#page.getTitle()#cfsqltype =cf_sql_varchar/& / code>
INSERT INTO page( title )
VALUES ( <cfqueryparam value="#page.getTitle()#" cfsqltype="cf_sql_varchar" /> )
参考:
- http://cfquickdocs.com/cf9/#preservesinglequotes
- http://cfquickdocs.com/cf9/#cfqueryparam
这篇关于CFQUERY不正确转义单引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!