954,585 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
4 Months Ago
0

Strange Form Var problem

Hi CF people and a prosperous New Year to you all

I have the following query on an action page:

SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#

when i run this page i get this error - Element ID is undefined in FORM.

I have checked the source code on the preceding page and the 'hidden' ID input Is defined

So
when i do a cfdump of that query

SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#

the dump shows me that the query has been run. As i would expect it tells me that both the fields i am querying are empty strings because in the case im testing this is in fact true.

ps i use this query later in the page to determine if there is in fact an image to delete

Any help as usual would be greatly appreciated
cheers
Grabit

grabit
Newbie Poster
13 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
4 Months Ago
0

change ID to id and see if that helps

fobos
Posting Whiz in Training
297 posts since Feb 2009
Reputation Points: 29
Solved Threads: 52
 
4 Months Ago
0

Try fabos solution, but if that doesn't work, can you post your form code?

teedoff
Posting Pro
599 posts since Jul 2010
Reputation Points: 21
Solved Threads: 60
 
4 Months Ago
0

lol fabos..

fobos
Posting Whiz in Training
297 posts since Feb 2009
Reputation Points: 29
Solved Threads: 52
 
4 Months Ago
0
lol fabos..



that shouldnt make a scrap of difference as coldfusion is not case sensitive - i am unsure of what i did but this matter is now resolved
cheers
Grabit

grabit
Newbie Poster
13 posts since Sep 2009
Reputation Points: 10
Solved Threads: 0
 
2 Months Ago
0

For all that is Holy, use cfqueryparam in your queries! This one of the easiest actions you can do to prevent SQL Injection in your site. Here is a sample of how to use it:

<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.id#" />


Here is the livedocs for the function: http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html
I know the link is for CF8, but that function hasn't changed for CF9 or 10.

The reason for using this is that your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>


If I use firebug on your form and change that value to be:1 OR 1 = 1 then I can return all results. Now, you think this might not be so bad, so what if I did this instead? 1; DELETE FROM engReconParts; Now you have a big problem. I'll get your code to return the result for ID 1, but now afterwards I've gone in and deleted ALL records in your engReconParts table.

Nighteyez07
Newbie Poster
1 post since Mar 2012
Reputation Points: 10
Solved Threads: 0
 
2 Months Ago
0
your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

Sad there are still apps out there with this kind of unprotected code .. Makes you want to ask for the company web developer's credentials before doing business online.

arrgh
Posting Whiz
381 posts since Dec 2008
Reputation Points: 32
Solved Threads: 47
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed