Ok. Your example didn't show any filters, it just took it directly from the URL and stuck it right into a cfquery.
I've heard of people writing their cfquery to files so they could generate the proper cfqueryparams and then just cfinclude that file to run the query. Obviously that's going to add file I/O overhead. Depending on your app, it could be way too much. The other option might be to create a stored proc that executes the dynamic SQL then pass the entire sql block into the SP call within a single CFQueryparam tag <cfquery...> Exec dbo.mySP @mySQl = <cfqueryparam cfsqltype="cf_sql_varchar" value="Select value form table where value = #url.id#" /> </cfquery> I've never found the need to do either and if there was a more detailed example of what you are trying to do, I'm sure one of the many experienced people on this list might be able to offer some better ideas. .:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com http://cf4em.com -----Original Message----- From: Richard White [mailto:rich...@j7is.co.uk] Sent: Saturday, June 25, 2011 12:34 PM To: cf-talk Subject: Re: Double Quote issue the issue here is that there are various filters being built up from different functions which is why we are having to do it as a string and not directly inside a cfquery tag. is there anyway to put the cfqueryparam tag inside a string and have it output that? again a basic example: <cfset sqlString = 'select value from table1 where id = <cfqueryparam cfsqltype="cf_sql_int" value="#url.param1#" />' /> <cfquery name="myQuery" datasource="myDatasource"> <cfoutput>#sqlString#</cfoutput> </cfquery> thanks >Why aren't you doing this? > ><cfquery...> >Select value from table1 where id = <cfqueryparam cfsqltype="cf_sql_int" >value="#url.param1#" /> ></cfquery> > >What you have now is quite dangerous. > >.:.:.:.:.:.:.:.:.:.:.:.:.:. >Bobby Hartsfield >http://acoderslife.com >http://cf4em.com > > > >Hi, > >we are having to build a complex query in a string using parameters passed >through the URL and then run it within a cfquery. > >Here is a basic example: > ><cfset param1 = url.param1 /> ><cfset sqlString = 'select value from table1 where id = "#param1#"' /> ><cfquery name="myQuery" datasource="myDatasource"> ><cfoutput>#sqlString#</cfoutput> ></cfquery> > >This all works fine until the url.param1 includes a double quote, then of >course it conflicts with the double quotes it is surrounded in and throws an >error. > >Even if we encode the string then of course mysql wont be able to retrieve >the correct results > >Do you have any suggestions on how to get around this? > >thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345688 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
