Richard you could always use the cfsavecontent to build the SQL, and then use the variable in the cfquery.
But you should also be using cfqueryparam with anything from forms and url, essentially anything that is or could be from user input. Regards, Andrew Scott http://www.andyscott.id.au/ > -----Original Message----- > From: Richard White [mailto:rich...@j7is.co.uk] > Sent: Saturday, 25 June 2011 10:13 PM > To: cf-talk > Subject: Double Quote issue > > > Hi, > > we are having to build a complex query in a string using parameters passed > through the URL and then run it within a cfquery. > > Here is a basic example: > > <cfset param1 = url.param1 /> > <cfset sqlString = 'select value from table1 where id = "#param1#"' /> > <cfquery name="myQuery" datasource="myDatasource"> > <cfoutput>#sqlString#</cfoutput> </cfquery> > > This all works fine until the url.param1 includes a double quote, then of > course it conflicts with the double quotes it is surrounded in and throws an > error. > > Even if we encode the string then of course mysql wont be able to retrieve > the correct results > > Do you have any suggestions on how to get around this? > > thanks > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345671 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
