使用 CFQUERYPARAM 指定 SQL 中的表/列名
[英]Use of CFQUERYPARAM to specify table/column names in SQL
问题描述
I need to dynamically construct a set of JOIN statements where the table and column names are passed in from another ColdFusion query.
我需要动态构造一组 JOIN 语句,其中表名和列名是从另一个 ColdFusion 查询传入的。 When passing the string values to into the statement, CFQUERYPARAM adds single quotes around it - that's part of the point of CFQUERYPARAM.当将字符串值传递到语句中时,CFQUERYPARAM 在其周围添加单引号 - 这是 CFQUERYPARAM 要点的一部分。 Given that this breaks the SQL statement, is it acceptable not to use CFQUERYPARAM in this case and instead ensure that the incoming query is cleansed, or is there a way round which allows CFQUERYPARAM to be used?鉴于这破坏了 SQL 语句,在这种情况下不使用 CFQUERYPARAM 而是确保清除传入查询是否可以接受,或者是否有办法允许使用 CFQUERYPARAM? (I can lock down these pieces of code using circuit/fuse permissions in Fusebox.) (我可以使用 Fusebox 中的电路/保险丝权限锁定这些代码。)
Thanks.谢谢。
2 个解决方案
解决方案1
3 已采纳 2009-03-24 14:08:00
cfqueryparam does not add single quotes - it uses bind variables. cfqueryparam不添加单引号 - 它使用绑定变量。
I am instantly suspicious of the statement "dynamically construct a set of JOIN statements" - it doesn't sound like you're necessarily doing things properly if you're dynamically joining.我立即怀疑“动态构造一组 JOIN 语句”的说法——如果你动态地加入,听起来你不一定能正确地做事。
However, for table/column names, once you are definitely sanitizing fully - if cfqueryparam doesn't work and you need cf variables - then yes , you can use CF variables directly.但是,对于表/列名称,一旦您确定完全清理 - 如果cfqueryparam不起作用并且您需要 cf 变量 - 那么是的,您可以直接使用 CF 变量。
Note: To sanitize safely, you can use rereplacenocase(table_name,'[^a-z_]','','all') to remove everything other than az and underscore.注意:为了安全清理,您可以使用rereplacenocase(table_name,'[^a-z_]','','all')删除除 az 和下划线以外的所有内容。
解决方案2
1 2009-03-26 18:43:20
You can escape the single quotes by using two of them.您可以使用其中的两个来转义单引号。 You can also use the preserveSingleQuotes function.您还可以使用 preserveSingleQuotes function。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.