ColdFusion 在字符串中构造数据库查询时添加额外的引号
我在 ColdFusion 中编码,但试图留在 cfscript 中,所以我有一个函数允许我传递一个查询来运行它 <代码>
但不知何故,当我使用 sql = "SELECT * FROM a WHERE b='#c#'" 构造查询并将其传入时,ColdFusion 已将单引号替换为 2 个单引号。 所以它在最终查询中变成 WHERE b=''c'' 。
我尝试过很多不同的方式创建字符串,但我无法让它只留下一个引号。 即使进行字符串替换也没有效果。
知道为什么会发生这种情况吗? 它毁了我在这个项目期间生活在 cfscript 中的希望
I am coding in ColdFusion, but trying to stay in cfscript, so I have a function that allows me to pass in a query to run it with
<cfquery blah >
#query#
</cfquery>
Somehow though, when I construct my queries with sql = "SELECT * FROM a WHERE b='#c#'" and pass it in, ColdFusion has replaced the single quotes with 2 single quotes. so it becomes WHERE b=''c'' in the final query.
I have tried creating the strings a lot of different ways, but I cannot get it to leave just one quote. Even doing a string replace has no effect.
Any idea why this is happening? It is ruining my hopes of living in cfscript for the duration of this project
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
根据设计,ColdFusion 在
要执行您想要的操作,您需要使用
PreserveSingleQuotes()函数。然而,这并没有解决您所面临的 SQL 注入的危险。
还使用
阅读旧的 Ben Forta 专栏和Brad Wood 最近发表的文章,了解有关使用
ColdFusion, by design, escapes single quotes when interpolating variables within
<cfquery>tags.To do what you want, you need to use the
PreserveSingleQuotes()function.This doesn't address, however, the danger of SQL injection to which you are exposing yourself.
Using
<cfqueryparam>also allows your database to cache the query, which in most cases will improve performance.It might be helpful to read an old Ben Forta column and a recent post by Brad Wood for more information about the benefits of using
<cfqueryparam>.正如其他人所说,您的问题的答案是使用
preserveSingleQuotes(...)但是,您真正想要的解决方案,不是以这种方式动态构建您的查询。 这太糟糕了。
将 SQL 放入 cfquery 标记内,并根据需要添加任何 ifs/switches/etc,并确保所有 CF 变量使用
cfqueryparam标记。(请注意,如果在 ORDER BY 子句中使用变量,则需要手动转义任何变量;cfqueryparam 不能在 ORDER BY 子句中使用)
The answer to your question, as others have said, is using
preserveSingleQuotes(...)However, the solution you actually want, is not to dynamically build your queries in this fashion. It's Bad Bad Bad.
Put your SQL inside the cfquery tags, with any ifs/switches/etc as appropriate, and ensure all CF variables use the
cfqueryparamtag.(Note, if you use variables in the ORDER BY clause, you'll need to manually escape any variables; cfqueryparam can't be used in ORDER BY clauses)
当您使用以下语法时,ColdFusion 会自动转义
如果您想在
#Foo#中保留单引号,则必须调用 <代码>#PreserveSingleQuotes(Foo)#。请注意,自动转义仅适用于变量值,不适用于函数结果。
有鉴于此,函数
PreserveSingleQuotes()(请参阅 Adobe LiveDocs)只不过是对值的“空操作” - 将其转换为函数结果以绕过自动转义。ColdFusion automatically escapes single quotes quotes in
<cfquery>tags when you use the following syntax:In case you would want to preserve single quotes in
#Foo#you must call#PreserveSingleQuotes(Foo)#.Be aware the the automatic escaping works only for variable values, not for function results.
In that light, the function
PreserveSingleQuotes()(see Adobe LiveDocs) is not much more than a "null operation" on the value - turning it into a function result to bypass auto-escaping.我对戴夫的回答投了赞成票,因为我认为他做得很好。
不过,我想补充一点,还有几种专为 ColdFusion 设计的不同工具,可以简化您可能执行的许多常见 SQL 任务。 有一个非常轻量级的工具,名为 DataMgr,由 Steve Bryant 编写,还有 转自 Mark Mandel,Reactor 最初由 Doug Hughes 创建,我开发了一个名为 DataFaucet 的项目。 其中每一个都有自己的优点和缺点。 就我个人而言,我认为您可能会认为 DataFaucet 能够为您提供留在 cfscript 中的最佳能力,它具有用于构建不同类型查询的多种语法。
以下是一些示例:
该框架确保 cfqueryparam 始终与这些过滤语句一起使用,以防止 sql 注入攻击,并且插入、更新和删除语句也有类似的语法。 (有一些避免 sql 注入的简单规则。)
I voted up Dave's answer since I thought he did a good job.
I'd like to add however that there are also several different tools designed for ColdFusion that can simplify a lot of the common SQL tasks you're likely to perform. There's a very light-weight tool called DataMgr written by Steve Bryant, as well as Transfer from Mark Mandel, Reactor which was originally created by Doug Hughes and one I developed called DataFaucet. Each of these has its own strengths and weaknesses. Personally I think you're apt to consider DataFaucet to be the one that will give you the best ability to stay in cfscript, with a variety of syntaxes for building different kinds of queries.
Here are a few examples:
The framework ensures that cfqueryparam is always used with these filter statements to prevent sql-injection attacks, and there are similar syntaxes for insert, update and delete statements. (There are a couple of simple rules to avoid sql-injection.)