Yea that's a good point Dean. Will <cfqueryparam> tags solve that? Also if using a connection string approach as opposed to a cfquery tag, what's the best way to deal with SQLInjection?
I know what SQLinjection is and I'm sure I should probably be more concerned with it that I have been in the past. Thanks for pointing that out and I'm going to make it a point to do better in that area. Dusty On Wed, Jan 27, 2010 at 6:29 PM, Dean H. Saxe <d...@fullfrontalnerdity.com>wrote: > D'oh! Anyone else see the classic SQLinjection vuln here... > -- > Dean H. Saxe > "A true conservationist is a person who knows that the world is not > given by his fathers, but borrowed from his children." -- John James > Audubon > > > > On Wed, Jan 27, 2010 at 11:47 AM, Dusty Hale <du...@climbonline.com> > wrote: > > Teddy here's how I build the qText string part where the quotes are: > > > > if(len(txtDonorId)){ > > qText = qText & "AND donorid like '%" & txtDonorId & "%' "; > > } > > > > > > > > On Wed, Jan 27, 2010 at 2:28 PM, Teddy R. Payne <teddyrpa...@gmail.com> > > wrote: > >> > >> Dusty, > >> What type of single quotes are those? What is the source of the text? > Was > >> the query copied and pasted from a Microsoft document? > >> > >> > >> Teddy R. Payne, ACCFD > >> Google Talk - teddyrpa...@gmail.com > >> > >> > >> > >> On Wed, Jan 27, 2010 at 2:24 PM, Dusty Hale <du...@climbonline.com> > wrote: > >>> > >>> Hi: > >>> > >>> I've run into a very strange issue. I have a cfc which has a <cfquery> > >>> tag in it. I recently added one field the SQL in the query and am > getting an > >>> error I've never seen before. I can't seem to dig out any info to solve > >>> this. If anyone is familiar, please share. > >>> > >>> Of course when I output the SQL and run in a SQL Studio Query window, > the > >>> query runs fine with no errors. > >>> > >>> Here the error I see in CF: > >>> > >>> > >>> > >>> > ----------------------------------------------------------------------------------------------------------------------------- > >>> [Macromedia][SQLServer JDBC Driver][SQLServer]Divide by zero error > >>> encountered. > >>> > >>> The error occurred in > >>> D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line 149 > >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: > line > >>> 139 > >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48 > >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: > line > >>> 149 > >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: > line > >>> 139 > >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48 > >>> > >>> 147 : </cfscript> > >>> 148 : <cfquery name="q" > datasource="#application.dsn_name#" > >>> username="#application.db_user#" password="#application.db_pword#"> > >>> 149 : #qText# > >>> > >>> 150 : </cfquery> > >>> ----------------------------------------- > >>> > >>> Here's the SQL code in the qText variable. Please note that it runs fun > >>> in Query Analyzer. Also note that no division is being used. > >>> > >>> ---------------------------------------------------------------- > >>> Select donorid, occupation, race, haircolor, hairtexture, eyecolor, > >>> religion, bloodtype, height, weight, heightmetric, weightmetric, > >>> reportedpregnancy, opendonorid, infomp3avail, ethnicity, cmvstatus, > >>> DateEntered, ARTavail, ARTonly, SelectDonors FROM v_websearch where > >>> available = 1 AND donorid like '%9986%' ORDER BY donorid > >>> > >>> > ---------------------------------------------------------------------------------- > >>> > >>> Any advise or thought on this of course is greatly appreciated. > >>> > >>> Dusty > >> > > > > > > > > -- > > Dusty Hale > > Email: du...@dustyhale.com > > Phone (Atlanta): 404.474.3754 > > Phone (Toll Free USA): 877.841.3370 > > Website: www.DustyHale.com > > > > > ------------------------------------------------------------- > To unsubscribe from this list, manage your profile @ > http://www.acfug.org?falogin.edituserform > > For more info, see http://www.acfug.org/mailinglists > Archive @ http://www.mail-archive.com/discussion%40acfug.org/ > List hosted by http://www.fusionlink.com > ------------------------------------------------------------- > > > >