CFQUERY不正确转义单引号 [英] CFQUERY Not escaping single quotes properly
问题描述
全部,
我正在尝试使用getter在插入期间引用一个bean。 CF不正确地转义在'form.title'中的值中,因此我收到格式错误的sql错误。
任何想法?
这是代码。
< cfscript>
form.title =page's are awesome;
page = new model.page.page(argumentCollection = form);
< cfquery name =testdatasource =ksurvey>
insert into page(title)
values('#page.getTitle()#')
< / cfquery>
如果你打算这样做,你需要preserveSingleQuotes()
INSERT INTO页面(标题)
VALUES('#preserveSingleQuotes(page.getTitle())# )
当然,请插入关于如何使用cfqueryparam避免SQL注入攻击的标准警告。
$ b $VALUES(< cfqueryparam value =#page.getTitle()#cfsqltype =cf_sql_varchar/>)
参考:
Possible Duplicate:
Coldfusion adding extra quotes when constructing database queries in strings
All,
I am trying to use a getter to reference a bean during an insert. CF is not escaping the single quote properly in the value in 'form.title' and therefore I am receiving a malformed sql error.
Any ideas?
Here's the code.
<cfscript>
form.title = "page's are awesome";
page = new model.page.page(argumentCollection = form);
<cfquery name="test" datasource="ksurvey">
insert into page(title)
values('#page.getTitle()#')
</cfquery>
If you're going to do it that way, you need preserveSingleQuotes()
INSERT INTO page( title )
VALUES ( '#preserveSingleQuotes( page.getTitle() )#' )
Of course, insert the standard caveat about how you should be using cfqueryparam to avoid SQL injection attacks.
INSERT INTO page( title )
VALUES ( <cfqueryparam value="#page.getTitle()#" cfsqltype="cf_sql_varchar" /> )
For reference:
这篇关于CFQUERY不正确转义单引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!