6
我想參數化是目前正在和已經成熟的SQL注入攻擊的查詢:參數化查詢ORM與在條款
qryAwards = ORMExecuteQuery(
"from Award where awardID in (#form.deleteAwardList#) and Game.Season.User.userID=:uid",
{uid=session.userID}
);
if(not isNull(qryAwards) and arrayLen(qryAwards)){
for(i in qryAwards){
entityDelete(i);
}
}
我想這一點,有沒有單引號帕拉姆:
qryAwards = ORMExecuteQuery(
"from Award where awardID in (:awardList) and Game.Season.User.userID=:uid",
{awardList=form.deleteAwardList, uid=session.userID}
);
我不斷收到以下錯誤:
The value 117,118 cannot be converted to a number.
而這一點,用單引號括起來帕拉姆:
qryAwards = ORMExecuteQuery(
"from Award where awardID in (':awardList') and Game.Season.User.userID=:uid",
{awardList=form.deleteAwardList, uid=session.userID}
);
獲取我下面的錯誤:
Invalid parameters specified for the query.
謝謝,這有效! – TekiusFanatikus
出於閒散的好奇心,這種方法逃脫了撇號嗎? –
它應該。任何時候,像這樣的特殊字符都可以參數化數據,就像'cfparam'一樣。另外,你不能使用''cfqueryparam'' ORMExecuteQuery()'。通過使用參數的方式,它與使用'cfqueryparam'相同 –