如何在 ColdFusion 中覆盖 SQL 清理
我有一项不幸的任务,就是清理一堆旧的 ColdFusion 代码。 查询无处不在,我正在努力将它们全部转移到通用 CFC 中,以便于维护。
我遇到了问题,因为 cfquery 会自动将单引号转换为双单引号。 我怎样才能覆盖这种行为?
更具体的信息如下。
所以这是我开始的查询:
<cfquery name="getObjectInfo" datasource="#BaseDS#">
SELECT groupName AS lastname, '[Group]' AS firstname
FROM groups
WHERE groups.group_id = #objectreference_id#
</cfquery>
这里奇怪的是,由于我们希望它显示的方式,文字被“选择”(同样,我没有写这个,我只是想清理它一点)。 所以在公共函数中,select子句有一个可选参数:
<cffunction name="fSelGroup" access="public" returntype="query"
hint="Returns query selecting given group.">
<cfargument name="intGroupID" type="numeric" required="true"
hint="ID of group to be returned." />
<cfargument name="strSelectAttributes" type="string" required="false"
hint="Attributes to be selected in query"
default="*" />
<cfquery name="getObjectInfo" datasource="#Application.DataSource#">
SELECT #Arguments.strSelectAttributes#
FROM Groups
WHERE Group_ID = #Arguments.intGroupID#
</cfquery>
<cfreturn getObjectInfo />
</cffunction>
问题是这样的:当我传入 "GroupName AS LastName, '[Group]' AS FirstName"
SELECT GroupName AS LastName, ''[Group]'' AS FirstName
FROM Groups
WHERE Group_ID = 4
您看,我的引号被“净化”为无效查询。
I have the unfortunate task of cleaning up a bunch of old ColdFusion code. Queries are all over the place, I am working on moving them all to common CFCs for easier maintenance.
I am running into a problem because cfquery is automatically converting the single quotes to double-single-quotes. How can I override that behavior?
More specific information is below.
So here is the query I started with:
<cfquery name="getObjectInfo" datasource="#BaseDS#">
SELECT groupName AS lastname, '[Group]' AS firstname
FROM groups
WHERE groups.group_id = #objectreference_id#
</cfquery>
The weird thing here is that a literal is being "selected", because of the way we want it displayed (again, I didn't write this, I'm just trying to clean it up a little). So in the common function, there is an optional parameter for the select clause:
<cffunction name="fSelGroup" access="public" returntype="query"
hint="Returns query selecting given group.">
<cfargument name="intGroupID" type="numeric" required="true"
hint="ID of group to be returned." />
<cfargument name="strSelectAttributes" type="string" required="false"
hint="Attributes to be selected in query"
default="*" />
<cfquery name="getObjectInfo" datasource="#Application.DataSource#">
SELECT #Arguments.strSelectAttributes#
FROM Groups
WHERE Group_ID = #Arguments.intGroupID#
</cfquery>
<cfreturn getObjectInfo />
</cffunction>
Here is the problem: When I pass in "GroupName AS LastName, '[Group]' AS FirstName" for the strSelectAttributes parameter, the query that is sent to the database is:
SELECT GroupName AS LastName, ''[Group]'' AS FirstName
FROM Groups
WHERE Group_ID = 4
You see, my quotes got "sanitized" into an invalid query.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
ColdFusion 不会转义所有 单引号,而只会转义那些通过变量插值到达查询的单引号。 这就是罪犯:
这通常是一件有用的事情,也是针对 SQL 注入攻击的一小道防线。 所以第一条规则是(这里和其他地方):不要从变量构建 SQL 字符串。
如果您必须使用变量来构建 SQL 字符串,尽管存在所有可能的负面影响,请使用
PreserveSingleQuotes()函数:此函数会阻止 ColdFusion 自动转义单引号。
顺便说一句,任何其他函数调用都会做同样的事情。 Try:
这意味着 PreserveSingleQuotes() 实际上只是一个将字符串转换为函数结果的无操作,从而防止自动变量插值例程发生。
ColdFusion does not escape all single quotes, but only those that arrive in the query through variable interpolation. This is the offender:
This is usually a helpful thing and a small line of defense against SQL injection attacks. So rule number one is (here and everywhere else): Don't build your SQL string from variables.
If you positively have to use variables to build an SQL string, despite all the possible negative effects, use the
PreserveSingleQuotes()function:This function stops ColdFusion from auto-escaping the single quotes.
And any other function call does the same thing, by the way. Try:
which means that PreserveSingleQuotes() is really just a no-op that turns a string into a function result, preventing the automatic variable interpolation routine from happening.
在变量周围调用preserveSingleQuotes()。 它是专门为编写动态 SQL 而设计的。 另外,您真的,真的应该使用 cfqueryparam 作为您的值,我希望您以某种方式清理您的输入,以便arguments.strSelectAttributes 不能包含类似 ';drop table groups; 的内容。 在里面。
Put a call to preserveSingleQuotes() around your variable. It's made specifically for writing dynamic SQL. Also, you really, really should use cfqueryparam for your values, and I hope you're sanitizing your input somehow so that arguments.strSelectAttributes can't contain something like ';drop table groups; in it.
如果您确实想清理代码,第二步是将意大利面条转换为存储过程。
If you really wanting to clean up the code step two is converting that spaghetti into stored procedures.