[thelist] No Escape from ColdFusion
Raymond Camden
jedimaster at macromedia.com
Mon Aug 27 13:08:04 CDT 2001
> ColdFusion isn't escaping the single quote in my variable parameter of my
> query.
>
> I know ColdFusion usually does this by default, but is there an
> instance (or
> more) where this doesn't happen, like, well, expected?
>
Yes. If you pass a complex var to a query, the value will not be escaped.
For example:
<CFSET Foo = StructNew()>
<CFSET Foo["Test"] = "Ray's Diner">
<CFQUERY ...>
select blah from blah
where name = '#Foo["Test"]#'
</CFQUERY>
In this case, the value of Foo["Test"] will not be escaped. To get around
this, just do:
<CFSET Temp = Foo["Test"]> and pass #Temp# to the query.
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : jedimaster at macromedia.com
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
More information about the thelist
mailing list