Yea that's a good point Dean. Will <cfqueryparam> tags solve that? Also if
using a connection string approach as opposed to a cfquery tag, what's the
best way to deal with SQLInjection?
I know what SQLinjection is and I'm sure I should probably be more concerned
with it that I have been in the past. Thanks for pointing that out and I'm
going to make it a point to do better in that area.
Dusty
On Wed, Jan 27, 2010 at 6:29 PM, Dean H. Saxe
<d...@fullfrontalnerdity.com>wrote:
> D'oh! Anyone else see the classic SQLinjection vuln here...
> --
> Dean H. Saxe
> "A true conservationist is a person who knows that the world is not
> given by his fathers, but borrowed from his children." -- John James
> Audubon
>
>
>
> On Wed, Jan 27, 2010 at 11:47 AM, Dusty Hale <du...@climbonline.com>
> wrote:
> > Teddy here's how I build the qText string part where the quotes are:
> >
> > if(len(txtDonorId)){
> > qText = qText & "AND donorid like '%" & txtDonorId & "%' ";
> > }
> >
> >
> >
> > On Wed, Jan 27, 2010 at 2:28 PM, Teddy R. Payne <teddyrpa...@gmail.com>
> > wrote:
> >>
> >> Dusty,
> >> What type of single quotes are those? What is the source of the text?
> Was
> >> the query copied and pasted from a Microsoft document?
> >>
> >>
> >> Teddy R. Payne, ACCFD
> >> Google Talk - teddyrpa...@gmail.com
> >>
> >>
> >>
> >> On Wed, Jan 27, 2010 at 2:24 PM, Dusty Hale <du...@climbonline.com>
> wrote:
> >>>
> >>> Hi:
> >>>
> >>> I've run into a very strange issue. I have a cfc which has a <cfquery>
> >>> tag in it. I recently added one field the SQL in the query and am
> getting an
> >>> error I've never seen before. I can't seem to dig out any info to solve
> >>> this. If anyone is familiar, please share.
> >>>
> >>> Of course when I output the SQL and run in a SQL Studio Query window,
> the
> >>> query runs fine with no errors.
> >>>
> >>> Here the error I see in CF:
> >>>
> >>>
> >>>
> >>>
> -----------------------------------------------------------------------------------------------------------------------------
> >>> [Macromedia][SQLServer JDBC Driver][SQLServer]Divide by zero error
> >>> encountered.
> >>>
> >>> The error occurred in
> >>> D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line 149
> >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc:
> line
> >>> 139
> >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48
> >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc:
> line
> >>> 149
> >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc:
> line
> >>> 139
> >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48
> >>>
> >>> 147 : </cfscript>
> >>> 148 : <cfquery name="q"
> datasource="#application.dsn_name#"
> >>> username="#application.db_user#" password="#application.db_pword#">
> >>> 149 : #qText#
> >>>
> >>> 150 : </cfquery>
> >>> -----------------------------------------
> >>>
> >>> Here's the SQL code in the qText variable. Please note that it runs fun
> >>> in Query Analyzer. Also note that no division is being used.
> >>>
> >>> ----------------------------------------------------------------
> >>> Select donorid, occupation, race, haircolor, hairtexture, eyecolor,
> >>> religion, bloodtype, height, weight, heightmetric, weightmetric,
> >>> reportedpregnancy, opendonorid, infomp3avail, ethnicity, cmvstatus,
> >>> DateEntered, ARTavail, ARTonly, SelectDonors FROM v_websearch where
> >>> available = 1 AND donorid like '%9986%' ORDER BY donorid
> >>>
> >>>
> ----------------------------------------------------------------------------------
> >>>
> >>> Any advise or thought on this of course is greatly appreciated.
> >>>
> >>> Dusty
> >>
> >
> >
> >
> > --
> > Dusty Hale
> > Email: du...@dustyhale.com
> > Phone (Atlanta): 404.474.3754
> > Phone (Toll Free USA): 877.841.3370
> > Website: www.DustyHale.com
> >
>
>
> -------------------------------------------------------------
> To unsubscribe from this list, manage your profile @
> http://www.acfug.org?falogin.edituserform
>
> For more info, see http://www.acfug.org/mailinglists
> Archive @ http://www.mail-archive.com/discussion%40acfug.org/
> List hosted by http://www.fusionlink.com
> -------------------------------------------------------------
>
>
>
>
