Dynamic generation of SQL code

Forum|Forum|16 years ago
January 25, 2010
4 replies
852 views

I am having a problem with generating SQL code dynamically.

Specifically when I use single quotes in my SQL statements, they end up showing as double quotes when the query runs.

Any ideas on how I can remdey this?

When I display my dynamic SQL code, it looks like and works fine if I run it

AND (External_Group_Members LIKE '%,1,%' OR External_Group_Members LIKE '%,3,%')

but when this is passed to the SQL, it looks like and I get an error

SELECT * FROM External_Groups WHERE 1 = 1 AND (External_Group_Members LIKE ''%,1,%'' OR External_Group_Members LIKE ''%,3,%'') ORDER BY External_Group_Name

Test-cfm.zip

Database access

This topic has been closed for replies.

Correct answer Dan_Bracuk

PreserveSingleQuotes().

D

djad1

Participant

This is a simple application for generating the code dynamically and compiling it dynamically. I have given two classes, GenerateClass, which generates a class on the fly, and RunClass, which compiles the generated class.

For dynamic code generation and code compilation, there is CodeDom technology. Before going into the sample, let me give you a short introduction to CodeDom. Some applications need the generation and or compilation of source code at run time. The .NET Framework SDK provides a standard mechanism called the Code Document Object Model(CodeDOM) that enables the output of the source code in multiple programming languagesat run time, based on the single model that represents the code to render. The CodeDom namespace of .NET provides:

1. A single model for rendering the source code. Therefore, we can extend the set of supported languages.
2. A way to represent source code in a language independent object model.
3. Programs can be dynamically created, compiled and executed at run time.

CodeDom architecture can conceptually represent most programming constructs. However there are several limitations to the current CodeDom implementation. A few to mention are variable declaration list, unsafe modifier, aliasing the namespaces, nested namespaces, and others. To represent the constructs that are not provided by CodeDom, we can make use of the Snippet classes.

r4 revolution for ds

-

-__cfSearching__-

Inspiring

mohadi wrote:
I am having a problem with generating SQL code dynamically.
Specifically when I use single quotes in my SQL statements, they end up showing as double quotes when the query runs.

Like it or not, that is for your protection. Otherwise malicious users can manipulate form field values and append nasty commands like DROP TABLE External_Groups that would be executed by your database. By using PreserveSingleQuotes you potentially open your database to just such a risk (if it supports multiple statements).

J

JR__Bob__Dobbs-qSBHQ2

Inspiring

If the dynamic portions of your code only contain parameters I would use CFQUERYPARAM in your queries. I would also be concerned about possible SQL injection attacks.

http://en.wikipedia.org/wiki/Sql_injection

D

Dan_BracukCorrect answer

Inspiring

PreserveSingleQuotes().

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded