问题
Possible Duplicate:
Coldfusion adding extra quotes when constructing database queries in strings
All,
I am trying to use a getter to reference a bean during an insert. CF is not escaping the single quote properly in the value in 'form.title' and therefore I am receiving a malformed sql error.
Any ideas?
Here's the code.
<cfscript>
form.title = "page's are awesome";
page = new model.page.page(argumentCollection = form);
<cfquery name="test" datasource="ksurvey">
insert into page(title)
values('#page.getTitle()#')
</cfquery>
回答1:
If you're going to do it that way, you need preserveSingleQuotes()
INSERT INTO page( title )
VALUES ( '#preserveSingleQuotes( page.getTitle() )#' )
Of course, insert the standard caveat about how you should be using cfqueryparam to avoid SQL injection attacks.
INSERT INTO page( title )
VALUES ( <cfqueryparam value="#page.getTitle()#" cfsqltype="cf_sql_varchar" /> )
For reference:
- http://cfquickdocs.com/cf9/#preservesinglequotes
- http://cfquickdocs.com/cf9/#cfqueryparam
回答2:
I wouldn't insert any value into a database without using cfqueryparam, its not safe! Not only that but cfqueryparam will handle all the escaping for you.
<cfquery name="test" datasource="ksurvey">
insert into
page(title)
values(<cfqueryparam value="#page.getTitle()#" cfsqltype="cf_sql_varchar">);
</cfquery>
来源:https://stackoverflow.com/questions/6756857/cfquery-not-escaping-single-quotes-properly