Trying to figure out triple quotes

[bobsmith123]

I am trying to build an SQL query dynamically, I know this is not a good idea, but its for an ad-hoc report. And I am getting hung up on needing quotes around some of the variables. For example, I am passing in a variable from a form, #form.name# and I am tryingt to build a query in the following way

<cfset strQuery = "SELECT ID FROM TABLE ">
<cfset strQueryWhere = "WHERE firstName = '#form.name'">
<cfset query = #strQuery# & #strQueryWhere#>

<cfquery name="myQuery" datasource="myDataSource">
#query#
</cfquery>


Now, I have a feeling it has to do with how the quotes are in te strQueryWhere variable, but I cannot figure it out. This works for integers, just not for strings that need quotes around them. Any help would be appreciated. Thanks.

 

[TruthInSatire]

if you do it that way you need to use the preserveSingleQuotes() function.

<cfquery>
#preserveSinglequotes(query)#
</cfquery>

but why not just build it dynamically right in the cfquery tags?

<cfquery>
Select #form.fields#
from #form.table#
where 0=0
<cfif len(trim(form.filter))>
and #form.colName# = '#form.filter#'
</cfif>
</cfquery>

you don't run into the preservesinglequotes problem much this way.

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true.

 

[imstillatwork]

i would recommend not doing a query that way if avoidable.

 

[TruthInSatire]

a query what way? there's more than one way presented....

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true.

 

[imstillatwork]

the original posters method.