On 4/26/05, Cliff Meyers <[EMAIL PROTECTED]> wrote:
> event.getArg("SurveyForm").getComment1()
>
> to insert text into the DB. I found out that when outputting the CFC
> inside CFQUERY (as shown above, wrapped in ## naturally) that the single
> quotes in the text to be inserted weren't being escaped... thus causing
> the Oracle DB syntax error.
I believe this is a known issue that complex expressions do not have
their single quotes escaped correctly. The workaround is to use a
temporary local variable:
<cset var comment1 = arguments.event.getArg("SurveyForm").getComment1() />
...
<cfquery ...>
...#comment1#...
</cfquery>
But as others have pointed out, you should really use <cfqueryparam>
to prevent SQL injection attacks (and possibly improve performance).
--
Sean A Corfield -- http://corfield.org/
Team Fusebox -- http://fusebox.org/
Got Gmail? -- I have 50, yes 50, invites to give away!
"If you're not annoying somebody, you're not really alive."
-- Margaret Atwood
----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to
[email protected] with the words 'unsubscribe cfcdev' as the subject of the
email.
CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
(www.cfxhosting.com).
An archive of the CFCDev list is available at
www.mail-archive.com/[email protected]
