the issue here is that there are various filters being built up from different functions which is why we are having to do it as a string and not directly inside a cfquery tag.
is there anyway to put the cfqueryparam tag inside a string and have it output that? again a basic example: <cfset sqlString = 'select value from table1 where id = <cfqueryparam cfsqltype="cf_sql_int" value="#url.param1#" />' /> <cfquery name="myQuery" datasource="myDatasource"> <cfoutput>#sqlString#</cfoutput> </cfquery> thanks >Why aren't you doing this? > ><cfquery...> >Select value from table1 where id = <cfqueryparam cfsqltype="cf_sql_int" >value="#url.param1#" /> ></cfquery> > >What you have now is quite dangerous. > >.:.:.:.:.:.:.:.:.:.:.:.:.:. >Bobby Hartsfield >http://acoderslife.com >http://cf4em.com > > > >Hi, > >we are having to build a complex query in a string using parameters passed >through the URL and then run it within a cfquery. > >Here is a basic example: > ><cfset param1 = url.param1 /> ><cfset sqlString = 'select value from table1 where id = "#param1#"' /> ><cfquery name="myQuery" datasource="myDatasource"> ><cfoutput>#sqlString#</cfoutput> ></cfquery> > >This all works fine until the url.param1 includes a double quote, then of >course it conflicts with the double quotes it is surrounded in and throws an >error. > >Even if we encode the string then of course mysql wont be able to retrieve >the correct results > >Do you have any suggestions on how to get around this? > >thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345676 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
