Dynamic sql execution with quote marks

Question

I have an app that lets users submit an arbitrary sql
statement (keywords like DELETE and INSERT are prohibited, in case
you are wondering). I send the string to theSQL Server stored
procedure below. The problem is that I get an error when the sql
statement contains quote marks like this:

select top 10 companyName
from customers
where country = 'USA'

Any solutions? Thanks.

Pete

Newsgroup_User · Accepted Answer

By default, CF escapes any single quotes found in string in a variable
passed to a <cfquery...> tag. This is to allow use cases like this to
work correctly.

<cfset aVar = "O'Connor said to him, 'I'll Be Back!'">

<cfquery....>
INSERT INTO aTable (aField)
(#aVar#)
</cfquery>

ColdFusion will escape the single quotes in the string by doubling them
so that this works properly. In your case you do not want them escaped,
and the function to tell CF to not do this is preserveSingleQuotes().

> <cfquery name="myQuery" datasource="#application.mainDS#">
> #preserveSingleQuotes(form.queryString)#
></cfquery>

Dan_Bracuk · Answer

My suggestion is to simply run the sql instead of using astored procedure.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded