0

Hi CF people and a prosperous New Year to you all

I have the following query on an action page:
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
when i run this page i get this error - Element ID is undefined in FORM.

I have checked the source code on the preceding page and the 'hidden' ID input Is defined

So
when i do a cfdump of that query
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
<cfdump var="#getImage#"><cfabort>

the dump shows me that the query has been run. As i would expect it tells me that both the fields i am querying are empty strings because in the case im testing this is in fact true.

ps i use this query later in the page to determine if there is in fact an image to delete

Any help as usual would be greatly appreciated
cheers
Grabit

5
Contributors
6
Replies
7
Views
5 Years
Discussion Span
Last Post by arrgh
0

lol fabos..

that shouldnt make a scrap of difference as coldfusion is not case sensitive - i am unsure of what i did but this matter is now resolved
cheers
Grabit

0

For all that is Holy, use cfqueryparam in your queries! This one of the easiest actions you can do to prevent SQL Injection in your site. Here is a sample of how to use it:

<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.id#" />

Here is the livedocs for the function:
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html
I know the link is for CF8, but that function hasn't changed for CF9 or 10.

The reason for using this is that your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>

If I use firebug on your form and change that value to be: 1 OR 1 = 1 then I can return all results. Now, you think this might not be so bad, so what if I did this instead? 1; DELETE FROM engReconParts; Now you have a big problem. I'll get your code to return the result for ID 1, but now afterwards I've gone in and deleted ALL records in your engReconParts table.

0

your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

Sad there are still apps out there with this kind of unprotected code .. Makes you want to ask for the company web developer's credentials before doing business online.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.