是否可以使用 cfscript+cfquery+cfqueryparam 动态创建查询并转义值?

发布于 2024-11-06 07:16:00 字数 891 浏览 4 评论 0原文

我对 ColdFusion 还很陌生。基本上我正在动态创建 Oracle 查询。我过去曾使用过 cfquery/cfparam,但我真的宁愿使用 cfscript 来完成,因为它更具可读性。它旨在成为一个大型“INSERT ALL ... INTO”。

这是我到目前为止所拥有的一个基本示例:

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = queryNew("");
sql = "INSERT ALL";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    sql = sql & "INTO NOTINLIST (SOURCETABLE, SOURCECOLUMN, SOURCEPK, ENTEREDVALUE, INSERTDATE, UPDATEDDATE, INSERTEDBY, UPDATEDBY) VALUES(";
    // [..]

    // How to dynamically escape the value below?
    sql = sql & EscapeTheParameterHere( clinicNIL[ myFields[i] ]);

    // [..]
    sql = sql & ")
";

}

WriteOutput( query );
</cfscript>

在我有“EscapeTheParameterHere”的地方,我希望能够以某种方式转义该值。我怎样才能逃避这个价值?

我在这里,有关于 CF 的好的资源或参考吗?

I'm still new to ColdFusion. Basically I am dynamically creating a query for Oracle. I have used cfquery/cfparam in the past but I would really rather use cfscript to accomplish as that is more readable. It is intended to be a large 'INSERT ALL ... INTO.'

Here's a basic example of what I have so far:

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = queryNew("");
sql = "INSERT ALL";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    sql = sql & "INTO NOTINLIST (SOURCETABLE, SOURCECOLUMN, SOURCEPK, ENTEREDVALUE, INSERTDATE, UPDATEDDATE, INSERTEDBY, UPDATEDBY) VALUES(";
    // [..]

    // How to dynamically escape the value below?
    sql = sql & EscapeTheParameterHere( clinicNIL[ myFields[i] ]);

    // [..]
    sql = sql & ")
";

}

WriteOutput( query );
</cfscript>

Where I have 'EscapeTheParameterHere' I want to be able to have that value escaped somehow. how can I escape the value?

while I'm here, is there any good resources or references for CF?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

℉服软 2024-11-13 07:16:00

您可以使用 cfscript 查询对象的 addParam 函数绑定参数,就像 cfqueryparam 一样。必须对您的示例进行一些转换才能在我的 MSSQL 框和您的表的较小版本上工作,但它应该为您提供总体思路。

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = new query();
//you may need to use the query methods setDatasource, setUsername and setPassword to configure the query

//sql = "INSERT ALL" & chr(13) & chr(10);
sql = "";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    query.addParam(name="address"&i,value=clinicNIL[ myFields[i] ],cfsqltype="VARCHAR");

    sql = sql & "INSERT INTO NOTINLIST (ADDRESS) VALUES(";

    sql = sql & ":address" & i;

    sql = sql & ")" & chr(13) & chr(10);

}

queryResult = query.execute(sql=sql);
</cfscript>

神奇的是,sql 字符串中的 :paramName 将在执行调用期间用正确转义的参数替换其关联参数。

You can bind parameters using the addParam function of a cfscript query object just like cfqueryparam works. Had to convert your example a bit to work on my MSSQL box and a smaller version of your table but it should give you the general idea.

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = new query();
//you may need to use the query methods setDatasource, setUsername and setPassword to configure the query

//sql = "INSERT ALL" & chr(13) & chr(10);
sql = "";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    query.addParam(name="address"&i,value=clinicNIL[ myFields[i] ],cfsqltype="VARCHAR");

    sql = sql & "INSERT INTO NOTINLIST (ADDRESS) VALUES(";

    sql = sql & ":address" & i;

    sql = sql & ")" & chr(13) & chr(10);

}

queryResult = query.execute(sql=sql);
</cfscript>

The magic is the :paramName in the sql string will have it's associated parameter replaced during the execute call with a properly escaped parameter.

小女人ら 2024-11-13 07:16:00

这是我使用 cfquery/cfqueryparam 提出的解决方案。我没有意识到你可以在 cfquery 中执行 cfloop 。顺便说一句,我确实找到了一个名为“CF.Query”的东西,但显然它只满足 cfquery 的一个子集。

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

totalFields = ArrayLen(myFields);

</cfscript>
<cfquery name="insert" datasource="somedatasource">
    INSERT ALL
    <cfloop from="1" to="#totalFields#" index="i">
            INTO NOTINLIST 
            (SOURCETABLE, SOURCEPK, SOURCECOLUMN, ENTEREDVALUE, INSERTDATE, UPDATEDATE, INSERTEDBY, UPDATEDBY) 
            VALUES(
             'FACULTYADDRESSES'
            , 123
            , <cfqueryparam value = "#myFields[i]#" cfsqltype='CF_SQL_VARCHAR'>
            , <cfqueryparam value = "#clinicNIL[ myFields[i] ]#" cfsqltype='CF_SQL_VARCHAR'>
            , SYSDATE
            , SYSDATE
            , '123'
            , '123'
            )
    </cfloop>
    SELECT * FROM DUAL
</cfquery>

here is the solution I came up with using cfquery/cfqueryparam. I didn't realize you could do a cfloop inside of a cfquery. By the way, I did find something called 'CF.Query' but apparently it only satisfies a subset of cfquery.

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

totalFields = ArrayLen(myFields);

</cfscript>
<cfquery name="insert" datasource="somedatasource">
    INSERT ALL
    <cfloop from="1" to="#totalFields#" index="i">
            INTO NOTINLIST 
            (SOURCETABLE, SOURCEPK, SOURCECOLUMN, ENTEREDVALUE, INSERTDATE, UPDATEDATE, INSERTEDBY, UPDATEDBY) 
            VALUES(
             'FACULTYADDRESSES'
            , 123
            , <cfqueryparam value = "#myFields[i]#" cfsqltype='CF_SQL_VARCHAR'>
            , <cfqueryparam value = "#clinicNIL[ myFields[i] ]#" cfsqltype='CF_SQL_VARCHAR'>
            , SYSDATE
            , SYSDATE
            , '123'
            , '123'
            )
    </cfloop>
    SELECT * FROM DUAL
</cfquery>
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文