Display Another Variable Inside a CFOUTPUT

142 views Asked by At

I have a note pushing to people that is Long Text format. So that display is:

 <cfoutput>
 #maindata#
 </cfoutput>

And lets say that data is a bunch of "blah blah blah, and more text data, blah blah" which is outputting properly.

What I am trying to do, is add an additional variable note inside the "LongText"

So in the text data I have tried.

  #set.newnote#

I have tried these 2 with no luck either:

 #Variables[set.newnote]#
 #evaluate(set.newnote)# 

I'm not having luck. Is this possible or do I need to break out of the output to add an additional output after.

2

There are 2 answers

0
Sev Roberts On

I assume you're asking this because you want to nest coldfusion string variables inside text stored in a database.

You could do this using a combination of evaluate() and de() like this:

<cfset mockDBText = "The ##x.a## jumps over the ##x.b##." />
<!--- the double ## above is just for escaping a single # - in your DB you would not need ## --->
<cfoutput>#mockDBText#</cfoutput>
<cfset x.a = "quick brown fox" />
<cfset x.b = "lazy dog" />
<cfoutput><br /> #evaluate(de(mockDBText))#</cfoutput>

...however beware the huge security risks of doing this with any text derived from user input - explained in more detail for example here: https://www.bennadel.com/blog/3861-evaluating-database-records-that-contain-coldfusion-interpolation-expressions-in-adobe-coldfusion-2018.htm

A safer way is to include your own tokens to delimit variables inside DB text, and then use a function to parse these and only output known safe variables.

3
Redtopia On
<cfscript>
mainData = "blah blah blah";
moreData = "more more more";
writeOutput(mainData & moreData);
</cfscript>

or

<cfoutput>#mainData##moreData#</cfoutput>

or if you want to insert moreData into mainData:

<cfscript>
newString = Left(mainData, 1, 5) & moreData & Right(mainData, 6, Len(mainData)-5));
writeOutput(newString);
</cfscript>

And another note... never ever ever ever use Evaluate(nonSanitizedUserText) or you will open your application up to injection attacks.