Skip to main content
T
trojnfn
Inspiring
February 5, 2010
Question

Misinterpretation of common characters

  • February 5, 2010
  • 2 replies
  • 887 views

I have a description column in my sql table, defined as nvarchar 50.

I ran into this on situation that we did not account for.

The user entered a description of "Tape, Roll, size 6 '   ". I attempted to insert this value into the table using '#form.description#'. Needless to say, it blew up because it was interpreting the single quote after the 6 as another quote. To correct the problem, I eliminated the single quote after the six.

What is the proper way to handle situations like this, or any other situation the ColdFusion might interpret as one of its symbols ?

This topic has been closed for replies.

2 replies

D
Dan_Bracuk
Inspiring
February 5, 2010

Regarding

What is the proper way to handle situations like this, or any other situation the ColdFusion might interpret as one of its symbols ?

cfqueryparam.

S
Scott_thornton
Known Participant
February 8, 2010

Hello,

Further to Dan's post:

<cfqueryparam cfsqltype="cf_sql_varchar" value="##">

In fact what you are experiencing is how sql-injection attack's occur.

If you aren't checking your form input, or using cfqueryparam, you are doing it wrong.

-
-__cfSearching__-
Inspiring
February 5, 2010
... insert this value into the table using '#form.description#'. Needless to say, it blew up because it was interpreting the single quote after the 6 as another quote.

What do you mean "blew up"? What was the actual query used and the error message?

T
trojnfnAuthor
Inspiring
February 5, 2010

The query was just a simple insert :

<cfquery name="qry" datatsoruce="db">

insert into tableName

(descrition,

xxx,

yyy,

etc)

values

('#form.description#',

'xxx',

'yyy',

etc.)

</cfquery>)

I have single quotes around #form.description#, so it was trying to insert 'Tape, Roll, 6' ', and the single quote after the six with the single closing quote made it seem like a double quote, 6'', so the insert query blew up. It was attempting to insert 'Tape, Roll, 6". I cannot duplicate the exact error, but I know it did not like the single quote after the six. I removed it from the description field and the query worked.

I was just wondering how to handle this situationi in the future.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices