You can't create a string containing CFML and output it and expect that to somehow mean it'll be actually executed.
For one thing, that's a bit daft when you stop and think about it, innit? (sorry, I don't mean that in a mean-spirited way). And don't feel bad: I reckon we've all done this at some stage.
Secondly: CFML is compiled before it's executed. So the process is (for all intents and purposes):
- File containing code is requested
- Code from file is passed to the CF compiler
- CF compiler spits out java byte code
- JVM executes java byte code
So your code to generate the string with the CFML code is not executed until (4), but it is needed back at (2). Unless you can time travel, that ain't gonna work.
I discuss this in my blog: "The ColdFusion request/response process"
There's a coupla things you can do:
- don't write dynamic generic SQL like this. All of us do it when we first start, but quickly come to realise dynamic/generic SQL is never a good solution to whatever issue is at hand.
- Use one of the already-existing DB abstraction tiers out there. CF 9+ comes with Hibernate support baked in.
- If you use
Query.cfc
instead of<cfquery>
, you can put placeholders in for the parameters, and pass the parameter data into the query separately. - Write your dynamic code to disk, then
include
it. This'll subvert the compile-time/run-time thing. It will be slow, as your included file will need to be compiled before it will run. It's ugly.
That list is in my order of preference for dealing with this issue.