ColdFusion adding extra quotes when constructing database queries in strings

by

ColdFusion, by design, escapes single quotes when interpolating variables within <cfquery> tags.

To do what you want, you need to use the PreserveSingleQuotes() function.

<cfquery ...>#PreserveSingleQuotes(query)#</cfquery>

This doesn’t address, however, the danger of SQL injection to which you are exposing yourself.

Using <cfqueryparam> also allows your database to cache the query, which in most cases will improve performance.

It might be helpful to read an old Ben Forta column and a recent post by Brad Wood for more information about the benefits of using <cfqueryparam>.

More Related Contents:

  1. Splitting string into multiple rows in Oracle
  2. Why does Oracle 9i treat an empty string as NULL?
  3. How to use GROUP BY to concatenate strings in MySQL?
  4. How to split a single column values to multiple column values?
  5. Strings as Primary Keys in SQL Database [closed]
  6. Better techniques for trimming leading zeros in SQL Server?
  7. What’s the best way to capitalise the first letter of each word in a string in SQL Server
  8. How to capitalize the first letter of each word in a string in SQL Server
  9. SQL string comparison, greater than and less than operators
  10. SQL Server convert string to datetime
  11. How to count instances of character in SQL Column
  12. Splitting the string in sql server
  13. SQL Server converting varbinary to string
  14. How do I remove extended ASCII characters from a string in T-SQL?
  15. String concatenation does not work in SQLite
  16. Coldfusion – variable field name when looping through database query results
  17. UPDATE and REPLACE part of a string
  18. Counting the number of occurrences of a substring within a string in PostgreSQL
  19. Converting String List into Int List in SQL
  20. How to compare dates in SQL Server
  21. COUNT MANY FIELDS IN ACCESS [closed]
  22. Create a date from day month and year with T-SQL
  23. What is the expected behaviour for multiple set-returning functions in SELECT clause?
  24. What is the difference between Views and Materialized Views in Oracle?
  25. Cross Join without duplicate combinations
  26. Table or column name cannot start with numeric?
  27. SQL: Alias Column Name for Use in CASE Statement
  28. SQL: Two select statements in one query
  29. SQL Inner Join On Null Values
  30. PostgreSQL: Full Text Search – How to search partial words?

Leave a Comment