Use of CFQUERYPARAM to specify table/column names in SQL

2
votes

I need to dynamically construct a set of JOIN statements where the table and column names are passed in from another ColdFusion query. When passing the string values to into the statement, CFQUERYPARAM adds single quotes around it - that's part of the point of CFQUERYPARAM. Given that this breaks the SQL statement, is it acceptable not to use CFQUERYPARAM in this case and instead ensure that the incoming query is cleansed, or is there a way round which allows CFQUERYPARAM to be used? (I can lock down these pieces of code using circuit/fuse permissions in Fusebox.)

Thanks.

2
sqlcoldfusioncfqueryparam
I'm not sure I understand why single quotes break the sql, it only puts them in for CF_SQL_VARCHAR, and you need them then. How do they break the query? - kevink
The use of the tag was a safety check for sanitisation rather than performance, where the variable being used is varchar; because it is being passed as something other than a value in the SQL (a column or table name), the single quotes prevent it from finding the column/table. - Alistair Knock

2 Answers

5
votes

cfqueryparam does not add single quotes - it uses bind variables.

I am instantly suspicious of the statement "dynamically construct a set of JOIN statements" - it doesn't sound like you're necessarily doing things properly if you're dynamically joining.

However, for table/column names, once you are definitely sanitizing fully - if cfqueryparam doesn't work and you need cf variables - then yes, you can use CF variables directly.

Note: To sanitize safely, you can use rereplacenocase(table_name,'[^a-z_]','','all') to remove everything other than a-z and underscore.

1
votes

You can escape the single quotes by using two of them. You can also use the preserveSingleQuotes function.