ColdFusion, by design, escapes single quotes when interpolating variables within <cfquery>
tags.
To do what you want, you need to use the PreserveSingleQuotes()
function.
<cfquery ...>#PreserveSingleQuotes(query)#</cfquery>
This doesn’t address, however, the danger of SQL injection to which you are exposing yourself.
Using <cfqueryparam>
also allows your database to cache the query, which in most cases will improve performance.
It might be helpful to read an old Ben Forta column and a recent post by Brad Wood for more information about the benefits of using <cfqueryparam>
.