Re: SQL Help

Sun, 28 Jun 2009 11:34:54 -0700 

if you're going to be generating your SQL like that, you'll need to wrap
your final variable in preserveSingleQuotes().

so...

<cfquery name="addpersonaleventtome" datasource="cf_WikiData">
     #preserveSingleQuotes(sqlToRun)#
</cfquery>

it will be pointed out to you (possibly before I even finish composing this
response), that you are leaving yourself open to SQL injection attacks by
not using <cfqueryparam>.  Hopefully you're at least taking other steps to
sanitize the inputs :)

On Sun, Jun 28, 2009 at 11:23 AM, Jason Slack <[email protected]> wrote:

>
> CF 8.01 OS X.
>
> I have:
>
> <cfset sqlToRun = "INSERT INTO personalevent(eventid, userid, username,
> eventdate) VALUES(#FORM.eventidentity#, #FORM.whois#, '#FORM.juser#',
> '#FORM.eventdate#')">
>
>        <cfoutput> #sqlToRun# </cfoutput>
>
>        <cfquery name="addpersonaleventtome" dataSource="cf_WikiData">
>           #sqlToRun#
>        </cfquery>
>
> the <cfoutput> is:
> INSERT INTO personalevent(eventid, userid, username, eventdate) VALUES(1,
> 1, 'jason', '2009-06-27')
>
> Which runs fine in a SQL Editor, but running that in the above <cfquery> I
> get:
>
> You have an error in your SQL syntax; check the manual that corresponds to
> your MySQL server version for the right syntax to use near '1'', ''1'',
> ''jason'', ''2009-06-27'')' at line 1
>
> There are a number of extra single quotes that I dont see why.
>
> If I try converting to <crqueryparam> I have something messed up because I
> get an error:
>
> I did:
> <cfset sqlToRun = "INSERT INTO personalevent(eventid, userid, username,
> eventdate) VALUES(<cfqueryparam value="#FORM.eventidentity#"
> cfsqltype="CF_SQL_INTEGER">,  <cfqueryparam value="#FORM.whois#"
> cfsqltype="CF_SQL_INTEGER">, <cfqueryparam value="#FORM.juser#"
> cfsqltype="CF_SQL_VARCHAR">, <cfqueryparam value="#FORM.eventdate#"
> cfsqltype="CF_SQL_DATE">)">
>
> and I get an error: Invalid CFML construct found on line 22 at column 120.
>
> Does anyone see my issue?
>
> -Jason
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324027
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to