Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ColdFusion single quote issue with SQL Query

Tags:

coldfusion

sql-server

single-quotes

cfquery

coldfusion-11

In my ColdFusion 11 app, with SQL Server 2008-R2, I've following cfquery tag inside a CF Component:

<cfquery name="result_set" dataSource="#request.dsn_name#">
    select name, state from myTable #REReplace(where_clause,"''","'","ALL")#        
</cfquery>

Here where_clause is a variable. The CF replaces one single quote with two and hence I'm using the REReplace function to replace two single quotes back into one. So my query changes, e.g. from

select name, state from myTable WHERE name IN (''ABC'')

to this:

 select name, state from myTable WHERE name IN ('ABC')

The problem is when a name column value contains a single quote as well. E.g.

select name, state from myTable WHERE name IN ('Smith's bat')

In such cases the query fails. How can I resolve such cases. I tried PreserveSingleQuotes but it has the same issue where column has values with single quotes.

UPDATE

This app was developed years ago by someone using ColdFusion MX 7. The original author is creating dynamic string for where_clause variable based on certain conditions. It's a long cfs file with several conditions used for creating dynamic string for where_clause. Hence, using a cfqueryparam may either not be suitable or may require a complete overhaul of the code that customer will not allow.

like image 393
nam Avatar asked Dec 02 '25 09:12

nam

1 Answers

That's a nasty problem. I'm afraid I can only come up with a nasty "solution".

  • Substitute the value delimiters: <cfset where_clause = replace(where_clause, "''", "§§", "ALL")>
  • Then escape the actual single quotes: <cfset where_clause = replace(where_clause, "'", "\'", "ALL")>
  • Now revert the substitution and normalize the delimiters: <cfset where_clause = replace(where_clause, "§§", "'", "ALL")>

Throwing it together:

<cfset substitution = "§§"> <!--- use whatever char sequence works best for your data --->

<!--- fallback in case the substitution is part of your data --->
<cfif where_clause contains substitution>

    <cfset substitution = "°°°">
    <!---
        you can basically start looping through a bunch of alternatives
        or even expand the substition with an additional character
        ...you get the idea
    --->

</cfif>

<cfset where_clause = replace(where_clause, "''", substitution, "ALL")>
<cfset where_clause = replace(where_clause, "'", "\'", "ALL")>
<cfset where_clause = replace(where_clause, substitution, "'", "ALL")>

<cfquery...

As you can see this is still highly problematic and may fail some day. But there's probably no better alternative as long as you have to deal with the where_clause variable.

like image 122
Alex Avatar answered Dec 06 '25 22:12

Alex
Sign in to Comment

Related questions

Split function in SQL Server 2008
Searching column description description meta across all tables
Create entity with both primary key and identity column in EF 6
SQL Server pods with PersistentVolumeClaim
exit script after writing error to log
NULL parameter check - WHERE vs IF
CAST and CONVERT in T-SQL
Convert Varchar To Money
SQL Query Error: Invalid Column Name
Group By clause causing error
Full text search - Not stopping StopWords
SQL Server queries xls file worked yesterday(I swear), now refuses to. 0.o
SQL Server how to select first row in sequence
Are there any performance downsides to using ODBC date string-literals in SQL Server? Is it better than a regular string date literal?
CREATE VIEW syntax for WITH AS (SELECT) statements
How to Get Filter record in ROW_NUMBER() function and Union?
Should SQL Server transaction tables always have a surrogate primary key
How can I do version control of Database Schema?
SQL - Selecting with WHERE that applies to multiple rows
Understanding NOT EXISTS in SQL

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!