1. 首頁
  2. 問答
  3. CFScript中的動態SQL

CFScript中的動態SQL

2011-05-06 16 views
3

我需要添加條件到我的SQL查詢。我想出了這個解決方案,但它不起作用,我不知道爲什麼。CFScript中的動態SQL

local.platformId = arguments.platformId ? "AND platforms.id = #arguments.platformId#" : ""; 

local.pages = new Query(dataSource=variables.wheels.class.connection.datasource); 
local.pages.setSQL 
(" 
    SELECT   COUNT(games.id) AS totalRecords 
    FROM   games 
    INNER JOIN  platforms ON games.platformId = platforms.id 
    WHERE   0=0 
:platform 
"); 

local.pages.addParam(name="platform", cfsqltype="CF_SQL_VARCHAR", value=local.platformId);  
local.pages = local.pages.execute().getResult();

我得到的錯誤:You have an error in your SQL syntax; check ... near ''AND platforms.id = 1' ''' at line 6

不知道如何繞過這個限制,並且仍然確保SQL注入安全?

來源

2011-05-06 Mohamad

回答

2

爲什麼不把SQL,如果添加帕拉姆neccessary在條件語句你的代碼?

local.pages = new Query(dataSource=variables.wheels.class.connection.datasource); 
local.baseSQL = " 
    SELECT   COUNT(games.id) AS totalRecords 
    FROM   games 
    INNER JOIN  platforms ON games.platformId = platforms.id 
    WHERE   platforms.id = :platform 
"; 

if(StructKeyExists(arguments, "platformId") 
{ 
    local.baseSQL &= "AND platforms.id = :platformId"; 
    local.pages.setSQL(baseSQL); 
    local.pages.addParam(
    name="platformId", 
    cfsqltype="CF_SQL_VARCHAR", 
    value=arguments.platformId); 
} 
else 
    local.pages.setSQL(baseSQL) 
local.pages = local.pages.execute().getResult();

來源

2011-05-07 19:09:53

3

addParam等同於在CFML中使用cfqueryparam。所以它期望value屬性像'1'或'foobar',而不是一點SQL。相反,只需將platformID的值設置爲arguments.platformid或一個空字符串即可。然後直接參考WHERE子句中的平臺。

local.platformId = arguments.platformId ? arguments.platformId : ""; 

local.pages = new Query(dataSource=variables.wheels.class.connection.datasource); 
local.pages.setSQL 
(" 
    SELECT   COUNT(games.id) AS totalRecords 
    FROM   games 
    INNER JOIN  platforms ON games.platformId = platforms.id 
    WHERE   platforms.id = :platform 
"); 

local.pages.addParam(name="platform", cfsqltype="CF_SQL_VARCHAR", value=local.platformId);  
local.pages = local.pages.execute().getResult();

這裏這篇文章有一些好的信息:http://www.bennadel.com/blog/1678-Learning-ColdFusion-9-Using-CFQuery-And-Other-Service-Tags-In-CFScript.htm

來源

2011-05-06 08:24:06 duncan

+0

如果我這樣做,而且也沒有指定平臺,什麼都不會回來了......因此,對於「其中0 = 0」 – Mohamad 2011-05-06 14:18:52

+0

不夠公平,在這種情況下我會去與亞當的建議 – duncan 2011-05-09 09:30:28

6

我喜歡用savecontent此:

savecontent variable="local.sql"{ 
    WriteOutput(" 
     SELECT   COUNT(games.id) AS totalRecords 
     FROM   games 
     INNER JOIN  platforms ON games.platformId = platforms.id 
     WHERE   0=0 
    "); 
    (arguments.platformId) 
     ? WriteOutput("AND platforms.id = :platform") 
     : WriteOutput(""); 
} 

local.pages = new Query(dataSource=variables.wheels.class.connection.datasource); 
local.pages.setSQL(local.sql); 
if (arguments.platformId){ 
    local.pages.addParam(name="platform", cfsqltype="CF_SQL_VARCHAR", value=arguments.platformId); 
} 
local.pages = local.pages.execute().getResult();

來源

2011-05-06 12:02:55

+0

任何需要要求圍繞三元條件有括號,例如'(arguments.platformId)'? – user3071284 2017-02-20 18:57:07

相關問題

 相關問題