<div>
<div class="content wysiwyg-content">
I’ve come across something odd that I’d like some help with or at least some explanation of why it happens. &nbsp;If I run this query, it runs just fine: 
 
&lt;cfquery name=&quot;GetUserInfo&quot; datasource=&quot;myDataBase&quot;&gt; 
SELECT ID, name, surname 
FROM demographics 
WHERE ID IN ('007','008') 
&lt;/cfquery&gt; 
 
But if I try to use a variable to store what ID’s I want to search over, like so: 
&nbsp; 
&lt;cfset teststring = &quot;'007','008'&quot;&gt; 
&nbsp; 
&lt;cfquery name=&quot;GetUserInfo&quot; datasource=&quot;myDataBase&quot;&gt; 
SELECT ID, name, surname 
FROM demographics 
WHERE ID IN (#teststring#) 
&lt;/cfquery&gt; 
&nbsp; 
&nbsp; 
... I get the following SQL error: 
 
&nbsp; &nbsp;Incorrect syntax near '007' 
&nbsp; 
&nbsp; &nbsp;SELECT ID, name, surname FROM demographics WHERE ID IN (''007'',''008'') 
 
Note that the two ID numbers have double single quotes around them! &nbsp;Why did that happen? &nbsp;Can anyone else replicate this issue, or is it something specific to my server? &nbsp;How does SQL even know that I inserted a variable, since the ColdFusion variable is resolved before the SQL code is executed? &nbsp;Is this a setting in the SQL Server to prevent code injection? &nbsp;Thanks! 

</div>
</div>

I’ve come across something odd that I’d like some help with or at least some explanation of why it happens. If I run this query, it runs just fine:

<cfquery name="GetUserInfo" datasource="myDataBase">
SELECT ID, name, surname
FROM demographics
WHERE ID IN ('007','008')
</cfquery>

But if I try to use a variable to store what ID’s I want to search over, like so:
 
<cfset teststring = "'007','008'">
 
<cfquery name="GetUserInfo" datasource="myDataBase">
SELECT ID, name, surname
FROM demographics
WHERE ID IN (#teststring#)
</cfquery>
 
 
... I get the following SQL error:

 Incorrect syntax near '007'
 
 SELECT ID, name, surname FROM demographics WHERE ID IN (''007'',''008'')

Note that the two ID numbers have double single quotes around them! Why did that happen? Can anyone else replicate this issue, or is it something specific to my server? How does SQL even know that I inserted a variable, since the ColdFusion variable is resolved before the SQL code is executed? Is this a setting in the SQL Server to prevent code injection? Thanks!

Extra single quote (apostrophe) added around variable in SQL query

A web server refers to the software that helps to deliver web content that can be accessed either through the Internet or through an intranet. The primary function of a web server is to store, process and deliver web pages to clients. The communication between client and server takes place using the Hypertext Transfer Protocol (HTTP). The most common use of web servers is to host websites, but there are other uses such as gaming, data storage, running enterprise applications, handling email, FTP, etc.