Reputation: 1836
Use of CFQUERYPARAM to specify table/column names in SQL
I need to dynamically construct a set of JOIN statements where the table and column names are passed in from another ColdFusion query. When passing the string values to into the statement, CFQUERYPARAM adds single quotes around it - that's part of the point of CFQUERYPARAM. Given that this breaks the SQL statement, is it acceptable not to use CFQUERYPARAM in this case and instead ensure that the incoming query is cleansed, or is there a way round which allows CFQUERYPARAM to be used? (I can lock down these pieces of code using circuit/fuse permissions in Fusebox.)
Thanks.
Upvotes: 2
Views: 1665
Answers (2)
Reputation: 522
You can escape the single quotes by using two of them. You can also use the preserveSingleQuotes function.
Upvotes: 1
Reputation: 112150
cfqueryparam does not add single quotes - it uses bind variables.
I am instantly suspicious of the statement "dynamically construct a set of JOIN statements" - it doesn't sound like you're necessarily doing things properly if you're dynamically joining.
However, for table/column names, once you are definitely sanitizing fully - if cfqueryparam doesn't work and you need cf variables - then yes, you can use CF variables directly.
Note: To sanitize safely, you can use rereplacenocase(table_name,'[^a-z_]','','all') to remove everything other than a-z and underscore.
Upvotes: 5
Related Questions
- Coldfusion: executing dynamic query containing cfqueryparam
- Weird Coldfusion cfqueryparam
- Getting a single output from cfquery when query column is cfqueryparam variable
- Trouble using cfqueryparam with sql query strings
- Dynamic tablename in DAO.cfc?
- Is there any logical reason to use CFQUERYPARAM in Query of Queries?
- CFQUERYPARAM not working in ColdFusion 10
- Variable as SQL in cfquery
- cfqueryparam questions/help
- Is it possible to rebind sql paramters using the result from a cfquery?