Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

queryExecute allows invalid parameter syntax without erroring

Description

The queryExecute functions allows for there to be invalid syntax in the parameter section and does not error. The following is not valid, however still executes without erroring:

```
queryExecute("
SELECT col1,
col2
FROM table
WHERE col_date > :varDate",
{varDate=arguments.aDate, cfsqltype="cf_sql_timestamp"}
);
```

The parameter "varDate" ends up with the value of arguments.aDate and it is escaped like it is a string, so you end up with something like:

'{ts ''2015-02-13 10:10:33''}'

Which of course is then not treated correctly by the SQL engine.

For reference the correct syntax is:

{varDate={value=arguments.aDate, cfsqltype="cf_sql_timestamp"}}

Environment

None

Activity

Show:

Adam Cameron 10 March 2015 at 08:55

@completelyfreedating OK, cool. Cheers!

Imported User 97 10 March 2015 at 08:40

@da_cameron It would appear it is just an output thing with dump as it is not causing any issues with inserts or selects, the data looks good and is inserted and selected correctly. Don't think there is anything to raise here.

Imported User 97 10 March 2015 at 08:26

@da_cameron Yes there is an no it hasn't, I will see if I can create a test case and confirm it wasn't just because of my miss interruption of the syntax and then raise it.

Adam Cameron 10 March 2015 at 08:22

@ryanguill: I did not realise that was existing behaviour (I think it's a bit rubbish, but however). As such, yeah, best it's maintained.

I also don't think there should be "magic words" that are treated differently from other ones.

@completelyfreedating: there's still the situation with the doubled-up quotes though, isn't there? Or has that been raised separately?

Ryan Guill 9 March 2015 at 20:39

i'm def in favor of more documentation and examples.

i'm against the ```cfsqltype``` as a reserved word like being against adding any reserved words without a very good reason. reserved words in databases/sql cause problems all the time, you never know when a word will make sense in a problem domain - although I will admit that the likelihood of someone wanting to use ```cfsqltype``` as a column name is low. But perhaps someone wants to make a code generator that uses it. The only thing that making that a reserved word would do for you is to give a better error message in this once case - and thats not worthy of reserving a word IMO.

if there was a compiler you could get warnings out of or a linter this would be a good candidate for that.

Fixed

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Affects versions

Created 9 March 2015 at 09:01
Updated 8 May 2020 at 19:39
Resolved 10 March 2015 at 08:55

Flag notifications