是否可以使用 cfscript+cfquery+cfqueryparam 动态创建查询并转义值？

发布于 2024-11-06 07:16:00 字数 891 浏览 0 评论 0原文

我对 ColdFusion 还很陌生。基本上我正在动态创建 Oracle 查询。我过去曾使用过 cfquery/cfparam，但我真的宁愿使用 cfscript 来完成，因为它更具可读性。它旨在成为一个大型“INSERT ALL ... INTO”。

这是我到目前为止所拥有的一个基本示例：

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = queryNew("");
sql = "INSERT ALL";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    sql = sql & "INTO NOTINLIST (SOURCETABLE, SOURCECOLUMN, SOURCEPK, ENTEREDVALUE, INSERTDATE, UPDATEDDATE, INSERTEDBY, UPDATEDBY) VALUES(";
    // [..]

    // How to dynamically escape the value below?
    sql = sql & EscapeTheParameterHere( clinicNIL[ myFields[i] ]);

    // [..]
    sql = sql & ")
";

}

WriteOutput( query );
</cfscript>

在我有“EscapeTheParameterHere”的地方，我希望能够以某种方式转义该值。我怎样才能逃避这个价值？

我在这里，有关于 CF 的好的资源或参考吗？

原文

I'm still new to ColdFusion. Basically I am dynamically creating a query for Oracle. I have used cfquery/cfparam in the past but I would really rather use cfscript to accomplish as that is more readable. It is intended to be a large 'INSERT ALL ... INTO.'

Here's a basic example of what I have so far:

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = queryNew("");
sql = "INSERT ALL";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    sql = sql & "INTO NOTINLIST (SOURCETABLE, SOURCECOLUMN, SOURCEPK, ENTEREDVALUE, INSERTDATE, UPDATEDDATE, INSERTEDBY, UPDATEDBY) VALUES(";
    // [..]

    // How to dynamically escape the value below?
    sql = sql & EscapeTheParameterHere( clinicNIL[ myFields[i] ]);

    // [..]
    sql = sql & ")
";

}

WriteOutput( query );
</cfscript>

Where I have 'EscapeTheParameterHere' I want to be able to have that value escaped somehow. how can I escape the value?

while I'm here, is there any good resources or references for CF?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

℉服软 2024-11-13 07:16:00

您可以使用 cfscript 查询对象的 addParam 函数绑定参数，就像 cfqueryparam 一样。必须对您的示例进行一些转换才能在我的 MSSQL 框和您的表的较小版本上工作，但它应该为您提供总体思路。

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = new query();
//you may need to use the query methods setDatasource, setUsername and setPassword to configure the query

//sql = "INSERT ALL" & chr(13) & chr(10);
sql = "";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    query.addParam(name="address"&i,value=clinicNIL[ myFields[i] ],cfsqltype="VARCHAR");

    sql = sql & "INSERT INTO NOTINLIST (ADDRESS) VALUES(";

    sql = sql & ":address" & i;

    sql = sql & ")" & chr(13) & chr(10);

}

queryResult = query.execute(sql=sql);
</cfscript>

神奇的是，sql 字符串中的 :paramName 将在执行调用期间用正确转义的参数替换其关联参数。

You can bind parameters using the addParam function of a cfscript query object just like cfqueryparam works. Had to convert your example a bit to work on my MSSQL box and a smaller version of your table but it should give you the general idea.

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

query = new query();
//you may need to use the query methods setDatasource, setUsername and setPassword to configure the query

//sql = "INSERT ALL" & chr(13) & chr(10);
sql = "";

for (i=1; i LTE ArrayLen(myFields); i=i+1) {

    query.addParam(name="address"&i,value=clinicNIL[ myFields[i] ],cfsqltype="VARCHAR");

    sql = sql & "INSERT INTO NOTINLIST (ADDRESS) VALUES(";

    sql = sql & ":address" & i;

    sql = sql & ")" & chr(13) & chr(10);

}

queryResult = query.execute(sql=sql);
</cfscript>

The magic is the :paramName in the sql string will have it's associated parameter replaced during the execute call with a properly escaped parameter.

回复收藏 0 原文

小女人ら 2024-11-13 07:16:00

这是我使用 cfquery/cfqueryparam 提出的解决方案。我没有意识到你可以在 cfquery 中执行 cfloop 。顺便说一句，我确实找到了一个名为“CF.Query”的东西，但显然它只满足 cfquery 的一个子集。

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

totalFields = ArrayLen(myFields);

</cfscript>
<cfquery name="insert" datasource="somedatasource">
    INSERT ALL
    <cfloop from="1" to="#totalFields#" index="i">
            INTO NOTINLIST 
            (SOURCETABLE, SOURCEPK, SOURCECOLUMN, ENTEREDVALUE, INSERTDATE, UPDATEDATE, INSERTEDBY, UPDATEDBY) 
            VALUES(
             'FACULTYADDRESSES'
            , 123
            , <cfqueryparam value = "#myFields[i]#" cfsqltype='CF_SQL_VARCHAR'>
            , <cfqueryparam value = "#clinicNIL[ myFields[i] ]#" cfsqltype='CF_SQL_VARCHAR'>
            , SYSDATE
            , SYSDATE
            , '123'
            , '123'
            )
    </cfloop>
    SELECT * FROM DUAL
</cfquery>

here is the solution I came up with using cfquery/cfqueryparam. I didn't realize you could do a cfloop inside of a cfquery. By the way, I did find something called 'CF.Query' but apparently it only satisfies a subset of cfquery.

<cfscript>
clinicNIL = structNew();
clinicNIL.ADDRESS1 = 'line 1';
clinicNIL.ADDRESS2 = 'line 2';

myFields = [
     'ADDRESS1'
    ,'ADDRESS2'
];

totalFields = ArrayLen(myFields);

</cfscript>
<cfquery name="insert" datasource="somedatasource">
    INSERT ALL
    <cfloop from="1" to="#totalFields#" index="i">
            INTO NOTINLIST 
            (SOURCETABLE, SOURCEPK, SOURCECOLUMN, ENTEREDVALUE, INSERTDATE, UPDATEDATE, INSERTEDBY, UPDATEDBY) 
            VALUES(
             'FACULTYADDRESSES'
            , 123
            , <cfqueryparam value = "#myFields[i]#" cfsqltype='CF_SQL_VARCHAR'>
            , <cfqueryparam value = "#clinicNIL[ myFields[i] ]#" cfsqltype='CF_SQL_VARCHAR'>
            , SYSDATE
            , SYSDATE
            , '123'
            , '123'
            )
    </cfloop>
    SELECT * FROM DUAL
</cfquery>

回复收藏 0 原文

~没有更多了~