What will happen is it will preserve the single quotes passed in from the form and then the cfquery tag will double them up. They need to be double up so that the database will insert one single quote.
On Dec 5, 2007 2:20 PM, Zerr, Randell (JSC-IS)[TES] <[EMAIL PROTECTED]> wrote: > I thought of that function, but my problem is that CF is NOT escaping > single quotes. > > > -----Original Message----- > From: [email protected] on behalf of Aaron Rouse > Sent: Wed 12/5/2007 2:15 PM > To: [email protected] > Subject: [houcfug] Re: CF and escaped quotes > > Ah, we do something like this in a couple of spots and in those places we > do > use the PreserveSingleQuotes() functions. > > On Dec 5, 2007 2:11 PM, Zerr, Randell (JSC-IS)[TES] < > [EMAIL PROTECTED]> > wrote: > > > Thanks for the input. I just figured out the problem - a problem that > > just happened to be common with all three apps I tested. The sql is > being > > created as a string and passed into the cfquery which, in effect, > disabling > > the escaping mechanism. > > > > <cfset theSql = "Select x from y"> > > > > <cfquery> > > #theSql# > > </cfquery> > > > > I missed this in my initial analysis because the page I was examining > was > > a 700 line include file with all 700 lines being a series of inserts > into > > different places with cfif's all over the place. I finally realized > that > > there was no cfquery on the page and then found that there was a cfquery > on > > another page that was cfincluding the page with all of the inserts: > > > > <cfquery> > > <cfinclude template="x.cfm"> > > <cfquery> > > > > Ug. I think I am just going to use a udf to wrap all of the variables > > with that will escape the single quotes, create a keyboard shortcut in > > Dreamweaver, and start typing. This will alleviate the problem until we > can > > rebuild these older apps. > > > > > > -----Original Message----- > > From: [email protected] on behalf of Aaron Rouse > > Sent: Wed 12/5/2007 1:57 PM > > To: [email protected] > > Subject: [houcfug] Re: CF and escaped quotes > > > > CFQUERY is supposed to replace single quotes with double quotes or that > > has > > always been my understanding and definitely how it has worked since CF 4 > > because have code here dating back to then that relies on this. I can > not > > find a doc reference but this hotfix for CF 6 mentions it: > > > > > > > http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19108&sliceId=1 > > > > Perhaps something has change in CF8 because I did notice this thread: > > > > > > > http://www.adobesystems-macromedia.com/cfusion/webforums/forum/messageview.cfm?forumid=1&catid=6&threadid=1292386&enterthread=y > > > > I'd be curious though if something has changed why my test on my CF8 box > > worked. Forgot to mention earlier that my CF8 box has the first hot fix > > loaded on it. > > > > On Dec 5, 2007 1:36 PM, Mark Davis <[EMAIL PROTECTED]> > > wrote: > > > > > In the past years, I remember having errors where data contained > single > > > quotes and we weren't expecting them, so I don't think CF handled them > > by > > > default. If you use cfstoredproc and cfprocparam, the procparam tag > > MIGHT > > > take care fo that, but I would doubt single quotes are handled with a > > simple > > > cfquery block. > > > > > > > > > > > > My encounters with the errors led me to always use queryparam starting > a > > > long time ago. I know that doesn't help you though. > > > > > > > > > > > > Mark Davis > > > Cricket Communications > > > Software Engineer III > > > > > > 303-734-7694 (w) > > > > > > *From:* [email protected] [mailto:[EMAIL PROTECTED] *On > > > Behalf Of *Zerr, Randell (JSC-IS)[TES] > > > *Sent:* Wednesday, December 05, 2007 11:42 AM > > > *To:* [email protected] > > > *Subject:* [houcfug] CF and escaped quotes > > > > > > > > > > > > We recently upgraded to CF8 and SQL 2005 and have been getting some > odd > > > errors. It appears that cfquery is not escaping single quotes in > query > > > params, which is causing errors. The applications affected are older > > apps > > > not written by me that do not use cfqueryparam. Unless I am wrong, CF > > has > > > always escaped single quotes in query params by default. I cannot > find > > any > > > information relating to this issue on the web (other than the random > > > complaint that CF IS escaping single quotes) so I was wondering if > > anyone > > > else has experienced the issue. I could change the queries to use > > > cfqueryparam, however, several apps and many hundreds of lines of > > cfqueries > > > would have to be rewritten and tested. Is there some new checkbox in > > the cf > > > administrator that I am missing? > > > > > > Here is a sample: > > > > > > <cfquery name="xx" datasource="xx"> > > > insert in to tablex > > > (field1,field2) > > > values > > > ('#form.field1#','#form.field2#') > > > </cfquery> > > > > > > Where form.field1 may have a value of "Dell Computer's" > > > > > > > > > > > > > > > > > > > > > > > > > -- > > Aaron Rouse > > http://www.happyhacker.com/ > > > > > > > > > > > > > > > > -- > Aaron Rouse > http://www.happyhacker.com/ > > > > > > > -- Aaron Rouse http://www.happyhacker.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [EMAIL PROTECTED] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
