Interesting CFQUERY Bug

Credit for this find goes to David McGuigan. He found the bug and reported it on a private listserv. I asked him to blog it, and he suggested I do instead.

So apparently - and I’ll admit to never having run into this - if you call a UDF from within a cfquery, and that query uses a different datasource, it “resets” the datasource of the outer cfquery.

That’s a bit confusing, but consider the following example.

<cfquery name="entries" datasource="blogdev" maxrows="2"> select * from tblBlogEntries <cfif foo()> where released = 1 </cfif> </cfquery>

This query returns records from the table, tblBlogEntries, in the datasource blogdev. Note the call to a UDF named foo. The UDF obviously returns a boolean, and if it returns true, we add a where clause. You could imagine foo() being some kind of security check. Now imagine foo looked like so:

<cffunction name="foo"> <cfset var q = ""> <cfquery name="q" datasource="cfbookclub"> select * from authors </cfquery> <cfreturn false> </cffunction>

See how foo() references a different datasource? This is enough to break the original cfquery and have it reference cfbookclub instead of blogdev.

You could code around this. Simply call foo and store the result outside of the query. And as I said - I’ve never run into this issue myself. It’s still something you may want to watch out for though.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Comments