Hi CF people and a prosperous New Year to you all

I have the following query on an action page:
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
when i run this page i get this error - Element ID is undefined in FORM.

I have checked the source code on the preceding page and the 'hidden' ID input Is defined

So
when i do a cfdump of that query
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
<cfdump var="#getImage#"><cfabort>

the dump shows me that the query has been run. As i would expect it tells me that both the fields i am querying are empty strings because in the case im testing this is in fact true.

ps i use this query later in the page to determine if there is in fact an image to delete

Any help as usual would be greatly appreciated
cheers
Grabit

Recommended Answers

All 6 Replies

change ID to id and see if that helps

Try fabos solution, but if that doesn't work, can you post your form code?

lol fabos..

lol fabos..

that shouldnt make a scrap of difference as coldfusion is not case sensitive - i am unsure of what i did but this matter is now resolved
cheers
Grabit

For all that is Holy, use cfqueryparam in your queries! This one of the easiest actions you can do to prevent SQL Injection in your site. Here is a sample of how to use it:

<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.id#" />

Here is the livedocs for the function:
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html
I know the link is for CF8, but that function hasn't changed for CF9 or 10.

The reason for using this is that your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>

If I use firebug on your form and change that value to be: 1 OR 1 = 1 then I can return all results. Now, you think this might not be so bad, so what if I did this instead? 1; DELETE FROM engReconParts; Now you have a big problem. I'll get your code to return the result for ID 1, but now afterwards I've gone in and deleted ALL records in your engReconParts table.

your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

Sad there are still apps out there with this kind of unprotected code .. Makes you want to ask for the company web developer's credentials before doing business online.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.