Interesting CFQUERY Bug

This post is more than 2 years old.

Credit for this find goes to David McGuigan. He found the bug and reported it on a private listserv. I asked him to blog it, and he suggested I do instead.

So apparently - and I'll admit to never having run into this - if you call a UDF from within a cfquery, and that query uses a different datasource, it "resets" the datasource of the outer cfquery.

That's a bit confusing, but consider the following example.

<cfquery name="entries" datasource="blogdev" maxrows="2"> select * from tblBlogEntries <cfif foo()> where released = 1 </cfif> </cfquery>

This query returns records from the table, tblBlogEntries, in the datasource blogdev. Note the call to a UDF named foo. The UDF obviously returns a boolean, and if it returns true, we add a where clause. You could imagine foo() being some kind of security check. Now imagine foo looked like so:

<cffunction name="foo"> <cfset var q = ""> <cfquery name="q" datasource="cfbookclub"> select * from authors </cfquery> <cfreturn false> </cffunction>

See how foo() references a different datasource? This is enough to break the original cfquery and have it reference cfbookclub instead of blogdev.

You could code around this. Simply call foo and store the result outside of the query. And as I said - I've never run into this issue myself. It's still something you may want to watch out for though.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com