cfquery crashes when there are tsql comments

2019-06-18 23:38发布

问题:

This does not crash in ColdFusion 11, but does crash in ColdFusion 2016

SELECT  *
FROM    dbo.Roles WITH (NOLOCK)
WHERE   Code IS NOT NULL
AND     Active = 1
AND     RoleID IN (SELECT RoleID FROM dbo.Emp WITH (NOLOCK)) -- It's ok to look at termed employees

This works OK in both

SELECT  *
FROM    dbo.Roles WITH (NOLOCK)
WHERE   Code IS NOT NULL
AND     Active = 1
AND     RoleID IN (SELECT RoleID FROM dbo.Emp WITH (NOLOCK)) 

Is there a setting to restore the orginal behavior?

UPDATE

I thought I had a minimal example of the issue, but I didn't. Here is the complete query

    SELECT '<ul>' + STUFF (
        (
        SELECT  MIN(Role) AS "li/code", Code AS "li/span/b", 'Unsorted' AS "li/span/var"
        FROM    dbo.Roles WITH (NOLOCK)
        WHERE   Code IS NOT NULL
        AND     Active = 1
        AND     RoleID IN (SELECT RoleID FROM dbo.Emp WITH (NOLOCK)) -- It's ok to look at termed employees
        GROUP BY Code
        FOR XML PATH ('')
        ),
        1,0,''

    ) + '</ul>' AS xmlRole

When I turn on DB debugging: I get:

spy(http-nio-8500-exec-5)(2016/02/17 10:21:13.807)>> OK

spy(http-nio-8500-exec-5)(2016/02/17 10:21:13.807)>> Statement[4].execute(String sql, int autoGeneratedKeys)
spy(http-nio-8500-exec-5)(2016/02/17 10:21:13.807)>> sql = SELECT '<ul>' + STUFF ( ( SELECT MIN(Role) AS "li/code", Code AS "li/span/b", 'Unsorted' AS "li/span/var" FROM dbo.Roles WITH (NOLOCK) WHERE Code IS NOT NULL AND Active = 1 AND RoleID IN (SELECT RoleID FROM dbo.Emp WITH (NOLOCK)) -- It's ok to look at termed employees GROUP BY Code FOR XML PATH ('') ), 1,0,'' ) + '</ul>' AS xmlRole
spy(http-nio-8500-exec-5)(2016/02/17 10:21:13.807)>> autoGeneratedKeys = 1
spy(http-nio-8500-exec-5)(2016/02/17 10:21:13.807)>>    
java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near ')'. ErrorCode=102 SQLState=HY000
java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near ')'.
    at macromedia.jdbc.sqlserverbase.ddcw.b(Unknown Source)
    at macromedia.jdbc.sqlserverbase.ddcw.a(Unknown Source)

Note that the SQL String is on a single line. When the comment starts, it does not end. Everything after the -- remains as a commented out.

White space management is turned on. Turning it off does not change the behavior. The generated SQL is the same

回答1:

According to Adobe, adding Update 1 will address this issue

List of issues patched in Update 1: https://helpx.adobe.com/coldfusion/kb/bugs-fixed-coldfusion-2016-update-1.html#main-pars_minitoc

Details of Update 1: https://helpx.adobe.com/coldfusion/kb/coldfusion-2016-update-1.html