ColdFusion的magic_quotes_gpc设置?冷箱?

时间:2015-04-03 10:54:54

标签: mysql coldfusion

我是ColdFusion的新手,想要从输入字段的值中删除单引号。我试图在谷歌搜索,我发现是使用" magic_quotes_gpc"或" mysql_real_escape_string"但是ColdFusion中不存在这些功能。有没有办法在ColdFusion中处理这种mysql查询注入?

更新

感谢您的回复,但请查看我的代码

<div class="form-group">
    <label for="jobDesc">Job description</label>
    <textarea name="description" class="form-control" rows="3" id="jobDesc">
        <cfif isdefined('userTime')>#userTime.description#</cfif>        
   </textarea>
</div>

我只想在文本区域使用单引号,我的表单正在提交给事件。查询是:

 sqlstr = "";
          sqlstr = "insert into usertime set
          userid = '#arguments.userTimeParams.userid#',
          projectid = '#arguments.userTimeParams.projectid#',
          timesheetdate = '#arguments.userTimeParams.timesheetdate#',
          estimatedtimespent = '#arguments.userTimeParams.jobhours * 60 + arguments.userTimeParams.jobMins#',
          description = '#arguments.userTimeParams.description#',
          timeentered = #arguments.userTimeParams.timeentered#;";

            queryObj = new query();
            queryObj.setDatasource("timesheet");
            queryObj.setName("adduserTime");
            result = queryObj.execute(sql=sqlstr);
            adduserTime = result.getResult();
            return result.getPrefix().generatedKey;

我有一个选项,我可以在我的字符串中添加斜杠,但是我必须在所有字符串中添加斜杠。那么有没有任何函数或方法可以用更少的代码行来做到这一点?

很抱歉因为知识有限而要求很多。

2 个答案:

答案 0 :(得分:4)

嗯...只是不要在SQL语句中传递硬编码的用户输入(或任何其他数据〜)值,而是将它们作为参数值传递。

示例:

coloursViaQueryExecute = queryExecute("
    SELECT  en AS english, mi AS maori
    FROM    colours
    WHERE   id BETWEEN :low AND :high 
    ",
    {low=URL.low, high=URL.high},
    {datasource="scratch_mssql"}
);

lowhigh是您的参数。

参见相关文档@ QueryExecute()

进一步阅读该主题:

答案 1 :(得分:4)

如果不对参数化用户数据进行参数化,那么您将自己开始使用SQL注入。 REReplace()可能无法捕捉到所有内容。以下是如何重写该代码以使用cfqueryparam的方法。您可能需要调整addParam()方法调用以添加正确的cfsqltype

sqlstr = "";
      sqlstr = "insert into usertime set
      userid = :userid,
      projectid = :projectid,
      timesheetdate = :timesheetdate,
      estimatedtimespent = :estimatedtimespent,
      description = :description,
      timeentered = :timeentered";

        queryObj = new query();
        queryObj.setDatasource("timesheet");
        queryObj.setName("adduserTime");
        queryObj.addParam( name="userid", value=arguments.usertimeparams.userid);
        queryObj.addParam( name="projectid", value=arguments.usertimeparams.projectid);
        queryObj.addParam( name="timesheetdate", value=arguments.usertimeparams.timesheetdate, cfsqltype="CF_SQL_TIMESTAMP");
        queryObj.addParam( name="estimatedtimspent", value=arguments.userTimeParams.jobhours * 60 + arguments.userTimeParams.jobMins, cfsqltype="CF_SQL_INTEGER");
        queryObj.addParam( name="description", value=arguments.usertimeparams.description);
        queryObj.addParam( name="timeentered", value=arguments.usertimeparams.timeentered, cfsqltype="CF_SQL_INTEGER");
        result = queryObj.execute(sql=sqlstr);
        adduserTime = result.getResult();
        return result.getPrefix().generatedKey;