<cfset value = "Two single quotes '' and one single quote ' in the same line
does not insert as expected." />
<cfquery datasource="#datasource#">
UPDATE Record
SET field = '#value#'
</cfquery>
Running the code above updated the record in the database to be "Two single
quotes ' and one single quote ' in the same line does not insert as expected."
In this case it did not escape the two single quotes together so only one sigle
quote was entered there, but where the single quote was by itself it was
properly escaped and entered into the database record. I would have expected
the code above to be entered into the database as "Two single quotes '' and one
single quote ' in the same line does not insert as expected." where all single
quotes in the string were escaped.
Has anyone else encountered this problem, and know of a way to correct it?
The exact same query works as exprected in previous versions of ColdFusion.
Manually changing all of the existing queries on the site to manually escape
the single quotes would be an incredibly time consuming process, so I'm hoping
that there is another way around the problem.
<cfquery datasource="#datasource#">
UPDATE Record
SET field = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#value#">
</cfquery>
Phil
Even if changing the query to use the CFQUERYPARAM had corrected the problem I
would like to avoid having to go through all of the existing queries that are
inserting data into the database and having to edit them if possible. The
number of man hours of work that would be involved in editing all of the
existing queries makes that approach to correcting the problem impractical, and
at the moment would only be considered as a last resort.
While using stored procedures is definitely a possibility I'd rather not have
to change the thousands of existing queries into stored procedures to correct
this problem. That would be a lot of work to do to correct something that had
been working correctly in previous versions of ColdFusion.
After a bit more testing I was able to get the cfqueryparam tag to insert the
data correctly. While I don't like the idea of having to update all of the
existing queries, it doesn't look like I'm going to have much of a choice in
the matter.
NeoTech
http://www.techprodigy.net
Thanks!
<a href ="www.techprodigy.net">Coldfusion </a>
check which db connector driver is used and look up built-in escape
characters in that driver version and how to disable/change those (i.e.
maybe possible though a connection string argument for dsn or jdbc url
param)
alternatively, see if you can use drivers that do not use built-in
escape characters, if such exist...
Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
I'll create a system ODBC connection and try the ODBC Socket driver when I get
some time and see if that has an effect on the problem. Overall I don't like
the general idea of creating a system ODBC data source for each database since
it adds an extra layer of overhead to the queries, but if this works then it
will save a lot of effort in updating existing queries.
Anthony O'Hare
http://www.advanceddatarecovery.co.uk http://www.inkcartridgesuk.co.uk http://www.datarecovery24.co.uk
that there is another way around the problem.[/q]
With that specific example, let's say value = O'Hara. This is what I have
noticed over time.
set field = '#value#' would crash because your database would see 3 single
quotes.
set field = '#replace(value, "'", "''", "all")#' would work, but your database
record would be O'Hara, not O''Hara as you said you would expect.