Strange syntax error in MySQL

Question

Why does this give me an MySQL syntax error:

<cfset arguments.where = "platformUrlId='#params.platformUrlId#'">

SELECT *
FROM whatever
WHERE #arguments.where#
Order By #arguments.order#

But this works perfectly well?

<cfset arguments.where = "0=0">

SELECT *
FROM whatever
WHERE #arguments.where#
Order By #arguments.order#

It's not my param because I dumped the param next to a twin that I typed out, and they match... passing the string directly works, but setting the string in an argument then using the argument breaks it

EDIT: The error output is showing platformUrlId=''playstation3'' Coldufsion is adding '' around the argument name. How come?

Answer 1

You could probably better make use of the cfqueryparam tag like this:

<cfquery>
  SELECT *
  FROM tbl 
  WHERE #arguments.colname# = <cfqueryparam value="#arguments.platformUrlId#"> 
  ORDER BY #arguments.order#
</cfquery>

Answer 2

In order to prevent problems when your variable contians someting like "Dexy's Midnight Runniers", CF implicitly escapes single quotes in CFQuery. You can prevent this by using preserveSingleQuotes().

However, what you are doing is definitely not a recommended practice. If you need to write this as a function, I'd do something more along the lines of passing in an array of key/value pairs, and using cfQueryParam to prevent any SQL injection.