问题
I'm running MySQL 5.0.88 and Coldfusion8.
In a form, I'm grabbing a number of record ids from a table and send them to the server. The string will look like so:
9900000002985,9900000003180,9900000003203,9900000003487,9900000003579
I'm then passing this into MySQL, initially like so:
SELECT bk.*
FROM header AS bk
WHERE 1
AND bk.iln_kaeufer IN ( #passed_in_string# )
I have been trying for a while to use cfqueryparam like so:
<cfqueryparam cfsqltype="cf_sql_longvarchar" value="#passed_in_string#">
But this causes an error in ColdFusion. Whereas if I run the query directly in MySQL, it works. So it must be something with my cfqueryparam declaration.
I'm passing this form through AJAX from a remote location. So I don't get any error messages except for an AJAX commit error.
Question:
How do I secure the above string if I can't use cfqueryparam?
Thanks!
回答1:
You want to use the list and separator parameters of cfqueryparam.
SELECT bk.*
FROM header AS bk
WHERE 1
AND bk.iln_kaeufer IN ( <cfqueryparam list="yes" separator="," cfsqltype="cf_sql_longvarchar" value="#passed_in_string#">)
来源:https://stackoverflow.com/questions/11722181/can-i-queryparam-a-string-used-in-a-mysql-in-statement-using-coldfusion