6
我想参数化是目前正在和已经成熟的SQL注入攻击的查询:参数化查询ORM与在条款
qryAwards = ORMExecuteQuery(
"from Award where awardID in (#form.deleteAwardList#) and Game.Season.User.userID=:uid",
{uid=session.userID}
);
if(not isNull(qryAwards) and arrayLen(qryAwards)){
for(i in qryAwards){
entityDelete(i);
}
}
我想这一点,有没有单引号帕拉姆:
qryAwards = ORMExecuteQuery(
"from Award where awardID in (:awardList) and Game.Season.User.userID=:uid",
{awardList=form.deleteAwardList, uid=session.userID}
);
我不断收到以下错误:
The value 117,118 cannot be converted to a number.
而这一点,用单引号括起来帕拉姆:
qryAwards = ORMExecuteQuery(
"from Award where awardID in (':awardList') and Game.Season.User.userID=:uid",
{awardList=form.deleteAwardList, uid=session.userID}
);
获取我下面的错误:
Invalid parameters specified for the query.
谢谢,这有效! – TekiusFanatikus
出于闲散的好奇心,这种方法逃脱了撇号吗? –
它应该。任何时候,像这样的特殊字符都可以参数化数据,就像'cfparam'一样。另外,你不能使用''cfqueryparam'' ORMExecuteQuery()'。通过使用参数的方式,它与使用'cfqueryparam'相同 –