We're a community of 1076K IT Pros here for help, advice, solutions, professional growth and fun. Join us!
1,075,535 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Start New Discussion Reply to this Discussion
Ad: BlackBerry® Z10
1 Year Ago
0

Strange Form Var problem

Hi CF people and a prosperous New Year to you all

I have the following query on an action page:
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
when i run this page i get this error - Element ID is undefined in FORM.

I have checked the source code on the preceding page and the 'hidden' ID input Is defined

So
when i do a cfdump of that query
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
<cfdump var="#getImage#"><cfabort>

the dump shows me that the query has been run. As i would expect it tells me that both the fields i am querying are empty strings because in the case im testing this is in fact true.

ps i use this query later in the page to determine if there is in fact an image to delete

Any help as usual would be greatly appreciated
cheers
Grabit

5
Contributors
6
Replies
2 Months
Discussion Span
1 Year Ago
Last Updated
7
Views
Question
Answered
grabit
Newbie Poster
13 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

change ID to id and see if that helps

fobos
Posting Whiz
345 posts since Feb 2009
Reputation Points: 29
Solved Threads: 67
Skill Endorsements: 3
1 Year Ago
0

Try fabos solution, but if that doesn't work, can you post your form code?

teedoff
Practically a Master Poster
605 posts since Jul 2010
Reputation Points: 21
Solved Threads: 60
Skill Endorsements: 0
1 Year Ago
0

lol fabos..

fobos
Posting Whiz
345 posts since Feb 2009
Reputation Points: 29
Solved Threads: 67
Skill Endorsements: 3
1 Year Ago
0

lol fabos..

that shouldnt make a scrap of difference as coldfusion is not case sensitive - i am unsure of what i did but this matter is now resolved
cheers
Grabit

grabit
Newbie Poster
13 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
Question Answered as of 1 Year Ago by fobos and teedoff
1 Year Ago
0

For all that is Holy, use cfqueryparam in your queries! This one of the easiest actions you can do to prevent SQL Injection in your site. Here is a sample of how to use it:

<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.id#" />

Here is the livedocs for the function:
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html
I know the link is for CF8, but that function hasn't changed for CF9 or 10.

The reason for using this is that your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>

If I use firebug on your form and change that value to be: 1 OR 1 = 1 then I can return all results. Now, you think this might not be so bad, so what if I did this instead? 1; DELETE FROM engReconParts; Now you have a big problem. I'll get your code to return the result for ID 1, but now afterwards I've gone in and deleted ALL records in your engReconParts table.

Nighteyez07
Newbie Poster
1 post since Mar 2012
Reputation Points: 10
Solved Threads: 0
Skill Endorsements: 0
1 Year Ago
0

your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

Sad there are still apps out there with this kind of unprotected code .. Makes you want to ask for the company web developer's credentials before doing business online.

arrgh
Posting Pro in Training
405 posts since Dec 2008
Reputation Points: 32
Solved Threads: 50
Skill Endorsements: 0

This question has already been solved: Start a new discussion instead

Post: Markdown Syntax: Formatting Help
 
You
Web Development > ColdFusion
 
© 2013 DaniWeb® LLC
Page rendered in 0.0725 seconds using 2.72MB