My instructions are to call a function when passing variables into an insert statement to prevent code injection. What does the following code do and what actually gets inserted into the database? Why doesn’t this have a value statement and it appears to have a select inside the insert?
<CFQUERY NAME="Survey1" DATASOURCE="#APPLICATION.mainDSN#">
INSERT INTO TWHSurvey_QA
(Comment, QuestionID, SurveyID, Rank)
<cfloop from="1" to="#SESSION.lastPage#" index="curPage">
<cfloop from="1" to="#ArrayLen(SESSION.HQQuestionStruct.pagesQuestions[curPage])#" index="curQuestion">
SELECT
<cfif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Type eq 1>
<cfif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Cur_Ans neq "">
'#SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Cur_Ans#',
<cfelse>
NULL,
</cfif>
<cfelse>
<cfif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Comment_Val neq "">
'#SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Comment_Val#',
<cfelse>
NULL,
</cfif>
</cfif>
#SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].QuestionID#,
#getLatestSurveyID.SurveyID#,
<cfif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Type eq 2>
<cfif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Cur_Ans neq "" AND SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Cur_Ans neq 0>
#SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Cur_Ans#
<cfelse>
NULL
</cfif>
<cfelseif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Type eq 3>
<cfif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Cur_Ans eq "Yes">
1
<cfelseif SESSION.HQQuestionStruct.pagesQuestions[curPage][curQuestion].Cur_Ans eq "No">
0
<cfelse>
NULL
</cfif>
<cfelse>
NULL
</cfif>
<CFIF curPage eq SESSION.lastPage AND curQuestion eq ArrayLen(SESSION.HQQuestionStruct.pagesQuestions[curPage])>
<CFELSE>
UNION ALL
</CFIF>
</cfloop>
</cfloop>
</CFQUERY>
When using an
INSERTthere are two ways:OR
Your query is Inserting into your table
TWHSurvey_QA, but it is Selecting variables, but you have If statements around some of the values you will be inserting.Basically it is selecting the variables: