0

I'm writing a subsystem that tables might be renamed from project to project.

Instead of asking the user of my subsystem to search & replace before using it, does this work?

<cfquery name="local.foo" datasource="#dsn#">
  SELECT col1, col2, col3
  FROM #tableName#
</cfquery>

Without <cfqueryparam>, will it become non-cacheable? or any other issues? (assume SQL-injection is not an issue)

I don't think I can use <cfqueryparam> for table name, right?

Thanks.

Henry
  • 32,689
  • 19
  • 120
  • 221
  • 1
    "does this work?" why didn't you just try it? "I don't think I can use for table name, right?" again.. – erikvold Mar 31 '11 at 21:39
  • *use for table name* I know this is an old thread, but for anyone who comes across it in the future, the answer is no. Cfqueryparam, or bind variables, only work with literals ie simple strings, numbers, etcetera. Cfqueryparam cannot be used on table names (or any other *object* names). – Leigh Jan 06 '16 at 19:50

1 Answers1

3

That'll work, sure. CF simply converts all variables to their values and sends the string to the database driver.

Be very, very careful, though. As you've implied, this could set you up for some nasty SQL injection.

ale
  • 6,369
  • 7
  • 55
  • 65
  • 1
    If you are using MySQL, you can escape the tableName to make it SQL safe by wrapping the string with backticks such as: `#tableName#`. Other databases will have their own ways of escaping table and column names. – Greg Stevens Mar 18 '10 at 20:21