Building up a coldfusion query issue with LIKE statement_问答_开发者

Building up a coldfusion query issue with LIKE statement

开发者 https://www.devze.com 2023-01-16 14:25 出处：网络

I 开发者_如何学编程am trying to build a dynamic sql statement with this line <cfset SQL = \"SELECT url, MONTH(event_date) AS months, YEAR(event_date) AS year, event_date, title from events where t

I 开发者_如何学编程am trying to build a dynamic sql statement with this line

<cfset SQL = "SELECT url, MONTH(event_date) AS months, YEAR(event_date) AS year, event_date, title from events where title LIKE '%#form.event_name#%' ">

<cfquery name="results" >
#SQL#
</cfquery>

Seems there is a problem with the like clause. Any ideas? Do I need to escape the %?

Thanks

Within a CFQUERY, ColdFusion will replace single quotes in #SQL# with double quotes automagically.

So in theory you would have to write your query like this:

<cfquery name="results" >
#PreserveSingleQuotes(SQL)#
</cfquery>

BUT... It's very dangerous to accept a form variable and use it without further validation directly in your query. Seems like an invitation for SQL injection attacks to me.

I'd rather use <cfqueryparam> like so:

<cfquery name="results" >
SELECT url, MONTH(event_date) AS months, YEAR(event_date) AS year, event_date, title 
from events 
where title LIKE <cfqueryparam cfsqltype="cf_sql_varchar" value="%#form.event_name#%"> 
</cfquery>