I thought of that function, but my problem is that CF is NOT escaping single quotes.
-----Original Message----- From: [email protected] on behalf of Aaron Rouse Sent: Wed 12/5/2007 2:15 PM To: [email protected] Subject: [houcfug] Re: CF and escaped quotes Ah, we do something like this in a couple of spots and in those places we do use the PreserveSingleQuotes() functions. On Dec 5, 2007 2:11 PM, Zerr, Randell (JSC-IS)[TES] <[EMAIL PROTECTED]> wrote: > Thanks for the input. I just figured out the problem - a problem that > just happened to be common with all three apps I tested. The sql is being > created as a string and passed into the cfquery which, in effect, disabling > the escaping mechanism. > > <cfset theSql = "Select x from y"> > > <cfquery> > #theSql# > </cfquery> > > I missed this in my initial analysis because the page I was examining was > a 700 line include file with all 700 lines being a series of inserts into > different places with cfif's all over the place. I finally realized that > there was no cfquery on the page and then found that there was a cfquery on > another page that was cfincluding the page with all of the inserts: > > <cfquery> > <cfinclude template="x.cfm"> > <cfquery> > > Ug. I think I am just going to use a udf to wrap all of the variables > with that will escape the single quotes, create a keyboard shortcut in > Dreamweaver, and start typing. This will alleviate the problem until we can > rebuild these older apps. > > > -----Original Message----- > From: [email protected] on behalf of Aaron Rouse > Sent: Wed 12/5/2007 1:57 PM > To: [email protected] > Subject: [houcfug] Re: CF and escaped quotes > > CFQUERY is supposed to replace single quotes with double quotes or that > has > always been my understanding and definitely how it has worked since CF 4 > because have code here dating back to then that relies on this. I can not > find a doc reference but this hotfix for CF 6 mentions it: > > > http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19108&sliceId=1 > > Perhaps something has change in CF8 because I did notice this thread: > > > http://www.adobesystems-macromedia.com/cfusion/webforums/forum/messageview.cfm?forumid=1&catid=6&threadid=1292386&enterthread=y > > I'd be curious though if something has changed why my test on my CF8 box > worked. Forgot to mention earlier that my CF8 box has the first hot fix > loaded on it. > > On Dec 5, 2007 1:36 PM, Mark Davis <[EMAIL PROTECTED]> > wrote: > > > In the past years, I remember having errors where data contained single > > quotes and we weren't expecting them, so I don't think CF handled them > by > > default. If you use cfstoredproc and cfprocparam, the procparam tag > MIGHT > > take care fo that, but I would doubt single quotes are handled with a > simple > > cfquery block. > > > > > > > > My encounters with the errors led me to always use queryparam starting a > > long time ago. I know that doesn't help you though. > > > > > > > > Mark Davis > > Cricket Communications > > Software Engineer III > > > > 303-734-7694 (w) > > > > *From:* [email protected] [mailto:[EMAIL PROTECTED] *On > > Behalf Of *Zerr, Randell (JSC-IS)[TES] > > *Sent:* Wednesday, December 05, 2007 11:42 AM > > *To:* [email protected] > > *Subject:* [houcfug] CF and escaped quotes > > > > > > > > We recently upgraded to CF8 and SQL 2005 and have been getting some odd > > errors. It appears that cfquery is not escaping single quotes in query > > params, which is causing errors. The applications affected are older > apps > > not written by me that do not use cfqueryparam. Unless I am wrong, CF > has > > always escaped single quotes in query params by default. I cannot find > any > > information relating to this issue on the web (other than the random > > complaint that CF IS escaping single quotes) so I was wondering if > anyone > > else has experienced the issue. I could change the queries to use > > cfqueryparam, however, several apps and many hundreds of lines of > cfqueries > > would have to be rewritten and tested. Is there some new checkbox in > the cf > > administrator that I am missing? > > > > Here is a sample: > > > > <cfquery name="xx" datasource="xx"> > > insert in to tablex > > (field1,field2) > > values > > ('#form.field1#','#form.field2#') > > </cfquery> > > > > Where form.field1 may have a value of "Dell Computer's" > > > > > > > > > > > > > > > > -- > Aaron Rouse > http://www.happyhacker.com/ > > > > > > > -- Aaron Rouse http://www.happyhacker.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [EMAIL PROTECTED] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
<<inline: winmail.dat>>
