I cannot think of a single use case for preserveSingleQuotes() on data provided by the client. That is extremely dangerous, as you are exposing your database to all kinds of delightful attacks. I would urge you to find a solution that utilizes <cfqueryparam /> for that stuff, but at the very least you *must* sanitize user input before passing it off to a query - especially if you are using preserveSingleQuotes()!
HTH On Fri, Jun 29, 2012 at 11:00 AM, Dave Jemison <[email protected]> wrote: > > Glad I could help! I remember pulling my hair out a while ago before I > figured that one out. > > Another trick you can use: > <cfset SESSION.F = "WHERE tblY.fldA='#FORM.Result#'"> > instead of > <cfset SESSION.F = "WHERE tblY.fldA='" & FORM.Result & "'"> > > It's mainly just a matter of preference, but I've found the first way > easier to debug when there are a lot of text and variables being > concatenated, especially if creating URIs with lots of &s. > > >Thanks! First time I've ever had to use that one. > > > > > >Have you tried the following? > >SELECT tblY.fldX > >FROM tblY > >#PreserveSingleQuotes(SESSION.F)#; > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351756 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
