And with preserveSingleQuotes() you have to hope you're better at cleaning input than hackers are at writing SQL injection. And yes, we all know you're totally awesome at it; this response is for others who'd rather not make that bet.
mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/6/30 Claude Schneegans <schneeg...@internetique.com>: > > >>As Dominic said, putting the entire sql statement in as a variable in > ColdFusion isn't necessary. > > Please, there IS a very good reason one would put an SQL statement in a > variable: > when using some tool to generate build queries for instance. > I have many examples in my own CMS, like a report builder, search > engine, etc. > > >>However, just for future knowledge sake, the reason your receiving this > error is because when you feed in a variable with single quotes, for some > reason they become duplicated when you feed it in sql. I've actually never > seen this before mostly because it's not good practice in ColdFusion to do > this. > > The "some" reason is simply that any single quote in values in the > statement must be escaped, > and CF will do it automatically for any variable inside a CFQUERY tag. > If you supply your own SQL statement, you are responsible for escaping > single quotes yourself, > and you must prevent CF to do it, because CF is not able to distinguish > quotes in the statement > from quotes in values, this is the purpose of the pseudo function > preventSingleQuotes(). > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:324065 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
