Skip to main content
N
nikhil20101
Participating Frequently
August 6, 2010
Question

giving problem when a formatted string used with cfquery tag

  • August 6, 2010
  • 2 replies
  • 701 views

Hi,

I have a search query returning a set of result, of which I am taking the filename. For each of this filename I need to run a SQL query to fetch a set of values from database (SQL Server 2000) . One of these fields can have values like "1,2,3" or "1" or "1,2" and so on. Each number is associated with a name and I need to display those names.

I have two tables as below

Table1

ID
Title
List
Filename
1title11,2,3,4file1.doc
2title21file2.doc
3title31,2file3.doc

Each of the numbers in the list in Table1 correspond to a name in Table2

Table2

ID
Name
1name1
2

name2

3

name3

4name4

Below is the code:

<cfoutput query="searchQuery" STARTROW="#startRecord#" MAXROWS="10">   <!--- Output of search query --->

     <cfquery name="getlist" datasource="data">
          SELECT list FROM Table1 WHERE filename like '%#searchQuery.fileName#%'   <!--- list returns a value like 1,2,3 as explained above --->
     </cfquery>

     <!--- to get the names I need to build a query as below  --->

     <!--- SELECT name FROM Table2 where id IN ('1','2','3') --->

     <!--- I am able to build the string  '1', '2', '3' as shown below  --->

     <cfset temp_list = #getlist.list#>
     <cfparam name="idlist" default="">
               
      <cfif len(#temp_list#) GT 1>
           <cfloop list="#temp_list#" index="i" delimiters=",">
                        <cfset idlist= idlist& " ' " &i& " ', ">   <!--- This builds string like '1','2','3' from 1,2,3 as in the table  --->
           </cfloop>
           <cfset idlist= left(idlist, len(idlist)-1)>

     </cfif>

     <cfoutput>SELECT name FROM Table2  where id IN (#idlist#)</cfoutput>

     <!--- The above query is built like SELECT name FROM Table2  where id IN ('1','2','3') , exactly the way I want--->

     <cfquery name="getname" datasource="portal">
          SELECT name FROM Table2  where id IN (#idlist#)
     </cfquery>

     <!--- The above query within cfquery tag is built like SELECT name FROM Table2  where id IN (''1'',''2'',''3'') , its not double quote but two single quotes, which is causing SQL exception --->

Can anyone please let me know about this behaviour within cfquery tag and any solution to fix this.

The error points to line SELECT statement within cfquery tag.

Below are the few lines of the stack trace.

java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Line 1: Incorrect syntax near '1'.
     at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source)
     at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source)
     at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source)
     at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source)
     at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source)
     at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown Source)

Thanks

Nikhil

    This topic has been closed for replies.

    2 replies

    N
    nikhil20101Author
    Participating Frequently
    August 6, 2010

      1

    ilssac
    ilssac
    Inspiring
    August 6, 2010

    Normalize your data design and your job would be much, much easier.

    table1

    IDTitleFilename
    1title1file1.doc
    2title2file2.doc
    3tile3file3.doc

    table2

    IDName
    1name1
    2name2
    3name3
    4name4

    tableJoin

    Table1_idTable2_id
    11
    12
    13
    14
    21
    31
    32

    Now you could write proper SQL with joins such as

    SELECT aField,bField,cField

    FROM

    table1 INNER JOIN

    tableJoin ON table1.id = tableJoin.table1_id INNER JOIN

    table2 ON table2.id = tableJoin.table2_id

    WHERE

    table2.id IN (<cfqueryparam value="1,2,3" list="true">)

    But to answer your actual question.

    SELECT name FROM Table2  where id IN (#preserveSingleQuotes(idlist)#)

    Because ColdFusion automaticaly escapes single quotes inside of a string variable used in a <cfquery...> block.  For strings like "Joe isn't going to the club at 10 o'clock" that would need to be escaped to work properly in a SQL statement.  You use the preserveSingleQuotes() function when you don't want this to happen.

    -
    -__cfSearching__-
    Inspiring
    August 6, 2010

    Normalize your data design and your job would be much, much

    easier.

    +1

     

    Because ColdFusion automaticaly escapes single quotes

    inside of a string variable used in a <cfquery...>

    block.  For strings like "Joe isn't going to the club at 10

    o'clock" that would need to be escaped to work properly in a

    SQL statement.  You use hte preserveSingleQuotes() function

    when you don't want this to happen.

    ... which unfortunately re-opens the door to sql injection that CF just tried to close auto-magically

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices