Yes, and if this is form input, you should be using cfqueryparam anyway.
Please see the news for Sony's latest data hack, which was simple web-based
SQL injection. cfsqltype will need to match column datatype in each case.
<cfquery datasource="#DSN#" name="GetResults">
SELECT Formation, Play, BallCarrier, YardsGained, Result
FROM PlaysCalled
WHERE PlaysCalled.Formation = <cfqueryparam cfsqltype="CF_SQL_VARCHAR"
value="#Form.Formation#" />
AND PlaysCalled.Play = <cfqueryparam cfsqltype="CF_SQL_VARCHAR"
value="#Form.Play#" />
AND PlaysCalled.BallCarrier = <cfqueryparam cfsqltype="CF_SQL_VARCHAR"
value="#Form.BallCarrier#" />
</cfquery>
----------------------------------------
From: "Jim Brundle" <[email protected]>
Sent: Friday, June 10, 2011 9:15 AM
To: "cf-talk" <[email protected]>
Subject: CFQuery Select and single quotes in string
I'm doing a look up like this:
<cfquery datasource="#DSN#" name="GetResults">
SELECT Formation, Play, BallCarrier, YardsGained, Result
FROM PlaysCalled
WHERE (((PlaysCalled.Formation)="#Form.Formation#") AND
((PlaysCalled.Play)="#Form.Play#") AND
((PlaysCalled.BallCarrier)="#Form.BallCarrier#"));
</cfquery>
In some cases, the Ball Carrier's name has a single quote in it. In these
cases, the search doesn't find them.
So for instance, it finds "Bob Jones" but not "D'Quan Black."
Do I use cfqueryparam to resolve this? I'm using cfqueryparam when I
insert the data into the database, but when I use the line:
<cfqueryparam value="#Trim(GetPlay.BallCarrier)#"
cfsqltype="CF_SQL_LONGVARCHAR"> it doesn't find anything.
Thanks,
Jim
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345145
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
