> I am reviewing CF and working on a small site to get my skills back up to > par. > > Here is what I have: > > <CFSET theSQL = "SELECT queryName, title, content FROM content WHERE > queryName = '#URL.queryName#'" > > > <cfquery name="getContent" datasource="indie">#theSQL#</cfquery> > > <CFOUTPUT>#theSQL#</CFOUTPUT> > > I am getting an error about SQL Statement being invalid: > > ... > > Notice that PrivacyPolicy has ³² around it..I am not putting it there. If I > put this statement in a SQL editor and run it it is invalid and it I swithc > to like I think I am doing in the CFSET it works. > > What am I doing wrong?
You are doing two things wrong. First, if you want to use a single-quoted string like you're doing, you need to use PreserveSingleQuotes: <cfquery ...>#PreserveSingleQuotes(theSQL)#</cfquery> Second, and more importantly, using raw data from the browser like that is a serious security vulnerability. Whenever you use unsafe data within a query, you should build a prepared statement using the CFQUERYPARAM tag: http://www.adobe.com/devnet/coldfusion/articles/cfqueryparam.html Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317684 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
