我是ColdFusion的新手,想要从输入字段的值中删除单引号。我试图在谷歌搜索,我发现是使用" magic_quotes_gpc"或" mysql_real_escape_string"但是ColdFusion中不存在这些功能。有没有办法在ColdFusion中处理这种mysql查询注入?
更新
感谢您的回复,但请查看我的代码
<div class="form-group">
<label for="jobDesc">Job description</label>
<textarea name="description" class="form-control" rows="3" id="jobDesc">
<cfif isdefined('userTime')>#userTime.description#</cfif>
</textarea>
</div>
我只想在文本区域使用单引号,我的表单正在提交给事件。查询是:
sqlstr = "";
sqlstr = "insert into usertime set
userid = '#arguments.userTimeParams.userid#',
projectid = '#arguments.userTimeParams.projectid#',
timesheetdate = '#arguments.userTimeParams.timesheetdate#',
estimatedtimespent = '#arguments.userTimeParams.jobhours * 60 + arguments.userTimeParams.jobMins#',
description = '#arguments.userTimeParams.description#',
timeentered = #arguments.userTimeParams.timeentered#;";
queryObj = new query();
queryObj.setDatasource("timesheet");
queryObj.setName("adduserTime");
result = queryObj.execute(sql=sqlstr);
adduserTime = result.getResult();
return result.getPrefix().generatedKey;
我有一个选项,我可以在我的字符串中添加斜杠,但是我必须在所有字符串中添加斜杠。那么有没有任何函数或方法可以用更少的代码行来做到这一点?
很抱歉因为知识有限而要求很多。
答案 0 :(得分:4)
嗯...只是不要在SQL语句中传递硬编码的用户输入(或任何其他数据〜)值,而是将它们作为参数值传递。
示例:
coloursViaQueryExecute = queryExecute("
SELECT en AS english, mi AS maori
FROM colours
WHERE id BETWEEN :low AND :high
",
{low=URL.low, high=URL.high},
{datasource="scratch_mssql"}
);
low
和high
是您的参数。
参见相关文档@ QueryExecute()
进一步阅读该主题:
答案 1 :(得分:4)
如果不对参数化用户数据进行参数化,那么您将自己开始使用SQL注入。 REReplace()
可能无法捕捉到所有内容。以下是如何重写该代码以使用cfqueryparam
的方法。您可能需要调整addParam()
方法调用以添加正确的cfsqltype
。
sqlstr = "";
sqlstr = "insert into usertime set
userid = :userid,
projectid = :projectid,
timesheetdate = :timesheetdate,
estimatedtimespent = :estimatedtimespent,
description = :description,
timeentered = :timeentered";
queryObj = new query();
queryObj.setDatasource("timesheet");
queryObj.setName("adduserTime");
queryObj.addParam( name="userid", value=arguments.usertimeparams.userid);
queryObj.addParam( name="projectid", value=arguments.usertimeparams.projectid);
queryObj.addParam( name="timesheetdate", value=arguments.usertimeparams.timesheetdate, cfsqltype="CF_SQL_TIMESTAMP");
queryObj.addParam( name="estimatedtimspent", value=arguments.userTimeParams.jobhours * 60 + arguments.userTimeParams.jobMins, cfsqltype="CF_SQL_INTEGER");
queryObj.addParam( name="description", value=arguments.usertimeparams.description);
queryObj.addParam( name="timeentered", value=arguments.usertimeparams.timeentered, cfsqltype="CF_SQL_INTEGER");
result = queryObj.execute(sql=sqlstr);
adduserTime = result.getResult();
return result.getPrefix().generatedKey;