tags:

views:

265

answers:

2
+1  Q: 

Use of CFQUERYPARAM to specify table/column names in SQL

I need to dynamically construct a set of JOIN statements where the table and column names are passed in from another ColdFusion query. When passing the string values to into the statement, CFQUERYPARAM adds single quotes around it - that's part of the point of CFQUERYPARAM. Given that this breaks the SQL statement, is it acceptable not to use CFQUERYPARAM in this case and instead ensure that the incoming query is cleansed, or is there a way round which allows CFQUERYPARAM to be used? (I can lock down these pieces of code using circuit/fuse permissions in Fusebox.)

Thanks.

+1  A: 

cfqueryparam does not add single quotes - it uses bind variables.

I am instantly suspicious of the statement "dynamically construct a set of JOIN statements" - it doesn't sound like you're necessarily doing things properly if you're dynamically joining.

However, for table/column names, once you are definitely sanitizing fully - if cfqueryparam doesn't work and you need cf variables - then yes, you can use CF variables directly.

Note: To sanitize safely, you can use rereplacenocase(table_name,'[^a-z_]','','all') to remove everything other than a-z and underscore.

Peter Boughton  2009-03-24 14:08:00
Thanks Peter. It is related to #673805 in that the main table structure and lookup tables can change as new data is added, so a static set of joins will not be sufficient. I should point out this is a back-end/local application for data manipulation, not public use.
Alistair Knock  2009-03-24 14:25:13
I suggest that the regex be [^\w]+ which will be letters, numbers and underscores, plus is shorter.
Nathan Strutz  2009-03-26 20:02:03
\w is word characters - it is not always just [a-z0-9_] and I deliberately used the more general purpose one here. However, if you were happy with the word characters route, \W is even simpler than [^\w] and is identical in meaning.
Peter Boughton  2009-03-27 01:18:40
A: 

You can escape the single quotes by using two of them. You can also use the preserveSingleQuotes function.

hofo  2009-03-26 18:43:20

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP