Why aren't you doing this? <cfquery...> Select value from table1 where id = <cfqueryparam cfsqltype="cf_sql_int" value="#url.param1#" /> </cfquery>
What you have now is quite dangerous. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -----Original Message----- From: Richard White [mailto:[email protected]] Sent: Saturday, June 25, 2011 8:13 AM To: cf-talk Subject: Double Quote issue Hi, we are having to build a complex query in a string using parameters passed through the URL and then run it within a cfquery. Here is a basic example: <cfset param1 = url.param1 /> <cfset sqlString = 'select value from table1 where id = "#param1#"' /> <cfquery name="myQuery" datasource="myDatasource"> <cfoutput>#sqlString#</cfoutput> </cfquery> This all works fine until the url.param1 includes a double quote, then of course it conflicts with the double quotes it is surrounded in and throws an error. Even if we encode the string then of course mysql wont be able to retrieve the correct results Do you have any suggestions on how to get around this? thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345667 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
