RE: CF Web Hosting
Way to go Jason == making us look bad... ;-) Jason CFDynamics.com -Original Message- From: Dowdell, Jason G [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 11:50 AM To: CF-Talk Subject: RE: CF Web Hosting Must've been one of my infinite loops :0) ~jason -Original Message- From: phumes1 [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 1:14 PM To: CF-Talk Subject: RE: CF Web Hosting Yea...I just tried it and got on. Server must have went down. :-) At 12:58 PM 4/8/2002 -0400, you wrote: http://www.cfdynamics.com/ loads right away for me. Ken -Original Message- From: phumes1 [mailto:[EMAIL PROTECTED]] Sent: Monday, April 08, 2002 12:47 PM To: CF-Talk Subject: RE: CF Web Hosting I just tried http://www.cfdynamics.com and http://cfdynamics.com I can't find the server. This is not a good start. :-) __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Custom Tag Question
This works, but why not use Dave's approach and pass the query as a pointer. It will make more readable code. Also, you don't need to pass the recordcount into the CT. The info is available there. Calling the tag with this: cf_theS Rows=3 Query=#GetProductList# !--- begin custom tag--- cfset numberOfRows = ceiling(attributes.Query.RecordCount/attributes.Rows) cfset NumOfCol = attributes.Rows cfset BeginRow = 1 table width=100 cellpadding=5 cfloop index=i from=1 to=#numberOfRows# tr cfoutput query=ATTRIBUTES.Query StartRow=#variables.BeginRow# Maxrows=#variables.NumOfCol# td img src=../catImages/#ThumbNail# border=0 alt=#ID# /td /cfoutput cfset BeginRow = BeginRow + NumOfCol /tr /cfloop /table -Original Message- From: Chad Gray [mailto:[EMAIL PROTECTED]] Sent: donderdag 11 april 2002 22:45 To: CF-Talk Subject: RE: Custom Tag Question Ok... i did quite follow what you guys were saying, but thanks for trying. I did get it to work like this. Let me know if im an idiot and if this is total kludge. I put Caller.#ATTRIBUTES.Query# into the Query= on my CFoutput. Calling the tag with this: cf_theS QueryCount=#GetProductlist.recordcount# Rows=3 Query=GetProductList !--- begin custom tag--- cfset numberOfRows = ceiling(attributes.QueryCount/attributes.Rows) cfset NumOfCol = attributes.Rows cfset BeginRow = 1 table width=100 cellpadding=5 cfloop index=i from=1 to=#numberOfRows# tr cfoutput query=Caller.#ATTRIBUTES.Query# StartRow=#variables.BeginRow# Maxrows=#variables.NumOfCol# td img src=../catImages/#ThumbNail# border=0 alt=#ID# /td /cfoutput cfset BeginRow = BeginRow + NumOfCol /tr /cfloop /table __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFINCLUDE tag and relative paths
Easiest solution is to use CF mappings instead of relative paths. -Original Message- From: heirophant mm [mailto:[EMAIL PROTECTED]] Sent: vrijdag 12 april 2002 4:11 To: CF-Talk Subject: CFINCLUDE tag and relative paths I have a display template, called as a custom tag through CFMODULE. The caller tags pass it an attribute called navigation, which is the path of a navigation template to display. The custom tag displays it using cfdisplay template=#attributes.navigation#. I want the caller to be able to pass a path relative from itself (for ease of use) - so the value you pass for the navigation attribute would be the same as the value that a CFINCLUDE right inside the caller template would use. However, since the display template is in a different folder, just doing cfinclude template=#attributes.navigation# does not work, since it expects the path to be relative from the current template, NOT the caller template. I wrote some UDFs that convert the value of attributes.navation so the path is instead relative to the display template, allowing the CFINCLUDE tag to work correctly. This solution is not very elegant, though. Nor is it efficient. Am I missing an easier way to do this? To summarize, I want a CFINCLUDE tag to correctly find a path that is relative to the caller template, instead of the current [custom tag] template. Note: For reasons unknown to me, we aren't allowed to use the Custom Tags folder on our server. So this display template I'm talking about is actually below the wwwroot folder. I don't know if that makes any difference in my problem. This brings me to my second question: Do custom tags actually in the Custom Tags folder behave differently concerning tags such as CFINCLUDE? In this case, would the CFINCLUDE tag look for a template relative to the caller template instead? --- Mike Mertsock Web Applications Programmer Alfred University [EMAIL PROTECTED] See Dave Matthews Band live or win a signed guitar http://r.lycos.com/r/bmgfly_mail_dmb/http://win.ipromotions.com/lycos_020201/splash.asp FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Deleting dynamic structure keys
In my continuing structure saga... I need to delete a structure key, which is itself a stucture. Like this: cfloop collection=#payment# item=b cfif payment[b].amount EQ 0 cfset freebies[b] = StructCopy(payment[b]) cfset success = StructDelete(payment,payment[b]) /cfif /cfloop That doesn't work, because the second parameter of StructDelete has to be a simple value. Problem is, I don't know the key's name. StructClear(payment[b]) clears the structure, but doesn't remove the key itself. Am I missing something? Kay. __ Kay Smoljak - ColdFusion Developer - PerthWeb Pty Ltd Level 9/105 St George's Terrace - Perth - Western Australia Ph: (08) 9226 1366 Fax: (08) 9226 1375 www.perthweb.com.au http://developer.perthweb.com.au - Tools for Developers cfx_pwcamtech | cfx_pwimageproc | cfx_pwcardcyrpt __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Deleting dynamic structure keys
StructDelete(payment,b) -Original Message- From: Kay Smoljak [mailto:[EMAIL PROTECTED]] Sent: vrijdag 12 april 2002 11:14 To: CF-Talk Subject: Deleting dynamic structure keys In my continuing structure saga... I need to delete a structure key, which is itself a stucture. Like this: cfloop collection=#payment# item=b cfif payment[b].amount EQ 0 cfset freebies[b] = StructCopy(payment[b]) cfset success = StructDelete(payment,payment[b]) /cfif /cfloop That doesn't work, because the second parameter of StructDelete has to be a simple value. Problem is, I don't know the key's name. StructClear(payment[b]) clears the structure, but doesn't remove the key itself. Am I missing something? Kay. __ Kay Smoljak - ColdFusion Developer - PerthWeb Pty Ltd Level 9/105 St George's Terrace - Perth - Western Australia Ph: (08) 9226 1366 Fax: (08) 9226 1375 www.perthweb.com.au http://developer.perthweb.com.au - Tools for Developers cfx_pwcamtech | cfx_pwimageproc | cfx_pwcardcyrpt __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Deleting dynamic structure keys
Its not embarassing kay...everyone has an off day! __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Prevent JavaScript timer from re-initialising on refresh
We have created an online assessment on our site, in some ways similar to the BrainBench online tests. It is a dynamic page and it submits back to itself. We use a JavaScript function to work as a timer - the countdown is shown in the bottom status bar. window.status=Time left = + counter + seconds; The problem is that if somebody refreshes the page while taking the test, the timer is reset back to the initial value. It is thus possible for a person to take much longer than the stipulated time to complete the assessment. Can anyone suggest a solution around this ? Thanks, Vishal. __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
capture close browser event
is there a way where we can capture the event when a user close a browser? or when the user close a browser the CF application will execute a cf page? for example logout.cfm? i try using the code below : SCRIPT FOR=WINDOW EVENT=ONBEFOREUNLOAD LANGUAGE=JAVASCRIPT window.open('logout.cfm','logout_href') /CFSCRIPT but eventually the code above will be executed whenever a page is refresh or changed, i'm following the tutorial from cfvault.com but it does not really work the way i want, yes, i managed to logout the user when the browser is closed but i logout the user too whenever a page is changed. any help? --- Pharmaniaga Berhad, your integrated healthcare provider www.pharmaniaga.com.my www.ehealth4all.com, your most convenient way to healthcare, everyday... The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. If you received this in error, please contact the sender and delete the material from any computer. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. --- __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Recordset to structure?
The two options I can see are looping over each record and copying it to a struct, or using Query functions to manipulate the recordset itself. I haven't worked with the query functions very much - are there any limitations to either of these approaches? How about performance? If you already have the data in a query type variable, I would just leave it there and manipulate it directly if possible. Using the query functions is not that hard to learn, though adding a row can be cumbersome. If you're using CF5 you can also use QofQ to easily extract data from your modified query data. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: capture close browser event
You can use the OnUnload event in the body tag to run something. body OnUnload = window.open('logout.cfm','logout_href'); - Original Message - From: Mak Wing Lok [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 7:21 AM Subject: capture close browser event is there a way where we can capture the event when a user close a browser? or when the user close a browser the CF application will execute a cf page? for example logout.cfm? i try using the code below : SCRIPT FOR=WINDOW EVENT=ONBEFOREUNLOAD LANGUAGE=JAVASCRIPT window.open('logout.cfm','logout_href') /CFSCRIPT but eventually the code above will be executed whenever a page is refresh or changed, i'm following the tutorial from cfvault.com but it does not really work the way i want, yes, i managed to logout the user when the browser is closed but i logout the user too whenever a page is changed. any help? -- - Pharmaniaga Berhad, your integrated healthcare provider www.pharmaniaga.com.my www.ehealth4all.com, your most convenient way to healthcare, everyday... The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential or privileged material. If you received this in error, please contact the sender and delete the material from any computer. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. -- - __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
cfset a.b = c -- COM error 0x80070005. Access is denied.
Here's what I was trying to do based on an ASP VBScript example. ASP VBScript: SET a.b = c CFML: cfset a.b = c a is a COM object. b is a property of a that returns an object (i.e. not a simple value). c is an instantiated object of the same type as b. When a is instantiated, the property b is set to Nothing (i.e. void). Both the instantiation of a and c were done via CFOBJECT tag (as opposed to the CreateObject() function which I have close to zero faith in from my experience in CF 4.5.x). I get the following error in CFML: COM error 0x80070005. Access is denied. The code worked fine in ASP VBScript. CFAS is 5.0 Enterprise (eval/single-user) running on Windows 2000 Server. So, what gives? :) Preliminary/Cursory search of cfcomet did not yield anything useful. Hope to hear something from you gurus here. :) James Ang [EMAIL PROTECTED] __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: cfset a.b = c -- COM error 0x80070005. Access is denied.
This is from www.cfcomet.com: http://www.cfcomet.com/cfcomet/Other/index.cfm?ArticleID=32381637-0922-41CA-BBE305C2D66A7025#22 22. COM error 0x5. Access is denied. Although this isn't a COM error per se, it is seen largely when using COM objects by client services (i.e., ColdFusion) that do not have sufficient access to an object. By default, ColdFusion is given access to the local system account, which on NT and 2000 will not allow you to run many objects, such as the ones provided by MS Office. To fix this problem, one way is to assign ColdFusion services administrative access. Go to your Services control panel in NT or 2000 (you shouldn't get 'Access Denied' on 95 or 98). Next, you have to alter the 3 services' logon properties in the services control panel. To do this, on each ColdFusion service (ColdFusion Application Server, ColdFusion Executive, and ColdFusion RDS), right-click, choose Properties, and then you'll see a tab at the top labeled Log On. Click it, and you will then see This Account, which is a radio button. Click the This Account button then click Browse to choose who to logon as, at which point you need to choose Administrator. On Windows NT, in the Services applet under the Control Panel, select the service and click on the Startup button (or double-click on the service). In the Log On As: groupbox, select the This Account: radio button, enter the account name (you can use the ... button to browse the account list), and enter the password twice. A good thing to remember is that if the password to the account is ever changed, all services using that account as the logon must be updated or they will mysteriously fail at the next logon/reboot. - Original Message - From: James Ang [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 7:33 AM Subject: cfset a.b = c -- COM error 0x80070005. Access is denied. Here's what I was trying to do based on an ASP VBScript example. ASP VBScript: SET a.b = c CFML: cfset a.b = c a is a COM object. b is a property of a that returns an object (i.e. not a simple value). c is an instantiated object of the same type as b. When a is instantiated, the property b is set to Nothing (i.e. void). Both the instantiation of a and c were done via CFOBJECT tag (as opposed to the CreateObject() function which I have close to zero faith in from my experience in CF 4.5.x). I get the following error in CFML: COM error 0x80070005. Access is denied. The code worked fine in ASP VBScript. CFAS is 5.0 Enterprise (eval/single-user) running on Windows 2000 Server. So, what gives? :) Preliminary/Cursory search of cfcomet did not yield anything useful. Hope to hear something from you gurus here. :) James Ang [EMAIL PROTECTED] __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Clustered Client variable management
I have a question regarding the application.cfm settings for client variable management when clustering. I'm working on an application that I need to maintain user state in. I want to use cfcookie to set a cookie on the user's machine that stores a unique key to identify this user by when his browser is open. But I want this model to work in a clustered environment as well as a shared hosting environment. I'm not worried about the extra overhead required to use cookies versus session vars. I just want to know exactly what my cfapplication tag needs to look like. e.g. cfapplication name=Intranet Module clientmanagement=Yes setclientcookies=Yes ClientStorage=Cookie Would this application setting work both on a single server as well as a clustered application? The user will not be tied to a specific machine when we cluster and all permissions for the user will be obtained from the application specific database. Any help would be much appreciated. Especially if you are currently running a clustered application or have experience with clustering servers and maintaining state. Best Regards, Jason Dowdell !--- Jason Dowdell [EMAIL PROTECTED] 321.799.6845 IM AES - Web Application Developer --- __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
??
Can anyone assist, I have a headache from this puppy! Prorating a purchase: X=Cost 2500 for a year OR 2500/12 * DifferenceInMonthsFromEXPMonthandCurrentMonth Exp date is 08/31/02 If i make a purchase today I should be charged the difference in months times {X} Thanks BtC __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Hopefully only a sintaxis problem.
Hi All: My problem probably is silly but is a pain in a knee for me. I have a cvs file from I need to pull some data in a QUERY. My cvs file have some name fields that end in the caracter ?.CF report me an error when I try to pull one this field in my query. Down here and example and what I see in the browser. Any ideas to overcome this pain??. Thanks in advance for any help Mario //CF code cfquery name=InstrLedAttQuery datasource=EkOutsideFilescvs dbtype=ODBC SELECT xx? FROM InstrLedAtt#Item#.txt /cfquery //Error I see in the browser Error Occurred While Processing Request Error Diagnostic Information ODBC Error Code = 07001 (Wrong number of parameters) [Microsoft][ODBC Text Driver] Too few parameters. Expected 1. Hint: The cause of this error is usually that your query contains a reference to a field which does not exist. You should verify that the fields included in your query exist and that you have specified their names correctly. The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (201:1) to (201:78). Date/Time: 03/13/02 18:00:19 Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Remote Address: 66.109.35.50 _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: ?? prorating a purchase?
Not sure I understand. I am presuming someone is buying something and paying a monthly fee. as they go through time they can continue to pay monthly - or pay for the remaining amount owing? When prorating by months in a period I usually calculate the difference in months by: EXPYear*12 + EXPMonth - CurYear*12 - CurMonth From: Brad T Comer- Ameritech [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Subject: ?? Date: Fri, 12 Apr 2002 07:54:46 -0500 Can anyone assist, I have a headache from this puppy! Prorating a purchase: X=Cost 2500 for a year OR 2500/12 * DifferenceInMonthsFromEXPMonthandCurrentMonth Exp date is 08/31/02 If i make a purchase today I should be charged the difference in months times {X} Thanks BtC __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Access table record limit?
Does anyone know what a practical limit of records should be in an Access table? The reason I ask is that I have a table for a feature I am implementing that with some really broad estimates of mine could hit 20,000 records in a year of heavy usage (for this app, which really wouldn't be heavy usage relatively speaking...). Any higher than that and I'd insist on SQL Server for performance. This particular table has just 4 fields, and is nicely indexable... I've seen some outrageous Access databases in my time that worked, but I can't remember if I've seen 20k records in one table. jon __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: ??
Take a look at this and see if it makes sense. CFSET CPY = 2500 !--- Cost Per year --- CFSET CPM = CPY / 12 !--- Cost Per month --- CFSET CycleStart = 03/01/2002 !--- Cycle Start Date --- CFSET CycleMonth = '12' !--- No. of Months in your cycle --- CFSET CycleEnd = DateFormat(DateAdd('m', CycleMonth, CycleStart), mm/dd/) !--- Cycle End Date --- CFSET today = DateFormat(NOW(), mm/dd/) !--- Sign up date --- CFSET monthsLeft = DateDiff('m', today, CycleEnd) !--- Months to pro-rate --- CFSET Charges = monthsLeft * CPM !--- Pro-rated charge Calculated --- !--- See the logic output --- CFOUTPUT#CycleStart# - #CycleEnd# - #today# - #monthsLeft# - #DollarFormat(Charges)#/CFOUTPUT Dave - Original Message - From: Brad T Comer- Ameritech [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 8:54 AM Subject: ?? Can anyone assist, I have a headache from this puppy! Prorating a purchase: X=Cost 2500 for a year OR 2500/12 * DifferenceInMonthsFromEXPMonthandCurrentMonth Exp date is 08/31/02 If i make a purchase today I should be charged the difference in months times {X} Thanks BtC __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Access table record limit?
Access 2000: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/off2000/html/acrefDatabaseSpecificationsS.asp Access 2002: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q302524 HTH, Howie - Original Message - From: Jon Hall [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 9:40 AM Subject: Access table record limit? Does anyone know what a practical limit of records should be in an Access table? The reason I ask is that I have a table for a feature I am implementing that with some really broad estimates of mine could hit 20,000 records in a year of heavy usage (for this app, which really wouldn't be heavy usage relatively speaking...). Any higher than that and I'd insist on SQL Server for performance. This particular table has just 4 fields, and is nicely indexable... I've seen some outrageous Access databases in my time that worked, but I can't remember if I've seen 20k records in one table. jon __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Recordset to structure?
It depends on what you want the structure to look like. The query structure is ideally suited to manipulating the data as it's returned from the tables. But structures can be any number of things. I tend to use them to create hierarchies. Give us some more information about what you're trying to do, and we'll be able to help you. Sharon - Original Message - From: Kay Smoljak [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 2:13 AM Subject: Recordset to structure? Hi all, I'm wondering what the simplest way would be to convert a query recordset to a structure. I know that a recordset *is* a structure, but I would like to copy it to the session scope and add, edit and remove keys as it goes through various scripts. I can't find anything on the developer's exchange. The two options I can see are looping over each record and copying it to a struct, or using Query functions to manipulate the recordset itself. I haven't worked with the query functions very much - are there any limitations to either of these approaches? How about performance? Any pointers would be greatly appreciated. Kay. __ Kay Smoljak - ColdFusion Developer - PerthWeb Pty Ltd Level 9/105 St George's Terrace - Perth - Western Australia Ph: (08) 9226 1366 Fax: (08) 9226 1375 www.perthweb.com.au http://developer.perthweb.com.au - Tools for Developers cfx_pwcamtech | cfx_pwimageproc | cfx_pwcardcyrpt __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Clustered Client variable management
..remember to set the 'setdomaincookies' attribute to true for clustering(also don't you want to use a db for the client storage?) cfapplication name=Intranet Module clientmanagement=Yes setclientcookies=Yes ClientStorage=Cookie setdomaincookies=yes -craig -Original Message- From: Dowdell, Jason G [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:52 AM To: CF-Talk Subject: Clustered Client variable management I have a question regarding the application.cfm settings for client variable management when clustering. I'm working on an application that I need to maintain user state in. I want to use cfcookie to set a cookie on the user's machine that stores a unique key to identify this user by when his browser is open. But I want this model to work in a clustered environment as well as a shared hosting environment. I'm not worried about the extra overhead required to use cookies versus session vars. I just want to know exactly what my cfapplication tag needs to look like. e.g. cfapplication name=Intranet Module clientmanagement=Yes setclientcookies=Yes ClientStorage=Cookie Would this application setting work both on a single server as well as a clustered application? The user will not be tied to a specific machine when we cluster and all permissions for the user will be obtained from the application specific database. Any help would be much appreciated. Especially if you are currently running a clustered application or have experience with clustering servers and maintaining state. Best Regards, Jason Dowdell !--- Jason Dowdell [EMAIL PROTECTED] 321.799.6845 IM AES - Web Application Developer --- __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: OT Help!
I have a domain name and I want to make sure it works with or with out a www. What do I do? Its Win2K and IIS5. This will involve your DNS configuration as well as IIS, and possibly some CF (so we can stay somewhat on topic, hehe). In DNS: Make sure the A record for the domain itself points to the same IP address as the www host does.. IN A 1.2.3.4 www IN A 1.2.3.4 If you're expecting to get e-mail on this domain and your mail server IP address is not the same as the web server for this host, be sure you have MX records setup correctly or your e-mail will not work. In IIS: If you have a dedicated IP address for your web site, configure the web to use that IP and do NOT setup any host-headers. If you do NOT have a dedicated IP address, then you MUST setup the host headers for the www.domain.com as well as just domain.com. In CF: If you like, you can put a check in your Application.cfm (or some other global code that runs) to check the CGI.SERVER_NAME variable to make sure the www is present (or not present, whichever you like) and redirect to the proper host such as... cfif comparenocase(cgi.server_name, www.domain.com) cflocation url=//www.domain.com#cgi.script_name#?#cgi.query_string# /cfif I THINK that covers everything.. if you have any other questions on that, feel free to mail me off-list since it IS a bit off-topic. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Re[2]: OT Help!
HOWDY Critz :) I guess I assumed he had both the www and the host records set in his DNS ... (Sorry Phil)... Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder oi Paul!! doesn't that need to be setup wherever the DNS is done? -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Friday, April 12, 2002, 10:57:37 AM, you wrote: PG Go into your IIS Manager, view the properties of that domain, and under the PG general tab, under website identification, click on advanced, make sure you PG have your ip pointing at both www.domain.com and domain.com PG Hopefully this helps, but it might depend on your setup! PG Paul Giesenhagen PG QuillDesign PG http://www.quilldesign.com PG SiteDirector v2.0 - Commerce Builder Ok I thought I had this understood but I guess I was wrong or I lost my mind since the last time I did it. I have a domain name and I want to make sure it works with or with out a www. What do I do? Its Win2K and IIS5. Thanks Phillip Broussard Tracker Marine Group 417-873-5957 PG __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Re[2]: OT Help!
Thanks every one! I thought I was going nuts with IIS. I will look into the dns. -Original Message- From: Carlisle, Eric [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:12 AM To: CF-Talk Subject: RE: Re[2]: OT Help! oi, Critz is correctamundo! You need 2 DNS records pointing at the same IP address. One record points the top level domain, the other points the www hostname. -Original Message- From: Critz [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:03 AM To: CF-Talk Subject: Re[2]: OT Help! oi Paul!! doesn't that need to be setup wherever the DNS is done? -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Friday, April 12, 2002, 10:57:37 AM, you wrote: PG Go into your IIS Manager, view the properties of that domain, and under the PG general tab, under website identification, click on advanced, make sure you PG have your ip pointing at both www.domain.com and domain.com PG Hopefully this helps, but it might depend on your setup! PG Paul Giesenhagen PG QuillDesign PG http://www.quilldesign.com PG SiteDirector v2.0 - Commerce Builder Ok I thought I had this understood but I guess I was wrong or I lost my mind since the last time I did it. I have a domain name and I want to make sure it works with or with out a www. What do I do? Its Win2K and IIS5. Thanks Phillip Broussard Tracker Marine Group 417-873-5957 PG __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Preventing SQL injection attacks...?
Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Are you using cfqueryparam on all your values too? This is just one more layer to help out. Kevin -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
If you are using 4.5 or above, you can use the cfqueryparam and that helps. You can also do checks to see if your variables are integers or not(if that is what you are passing), you can also compare vars to make sure what you passed is whats there.. There are also many other things you can do.. HTH Clint -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Access table record limit?
I once worked with an Access DB that would hit 100K + records in one table on a regular basis. It performed fine. However, it was a rather speciallized app, and I think it was primarily doing inserts into the table. But, I did need to reference the table to extract information through a second application - never had any problems with the table. HTH. Shawn Grover -Original Message- From: Jon Hall [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 7:40 AM To: CF-Talk Subject: Access table record limit? Does anyone know what a practical limit of records should be in an Access table? The reason I ask is that I have a table for a feature I am implementing that with some really broad estimates of mine could hit 20,000 records in a year of heavy usage (for this app, which really wouldn't be heavy usage relatively speaking...). Any higher than that and I'd insist on SQL Server for performance. This particular table has just 4 fields, and is nicely indexable... I've seen some outrageous Access databases in my time that worked, but I can't remember if I've seen 20k records in one table. jon __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
make sure you are at the latest MDAC and have all service pack applied for SQL. I think that the latest MDAC prevents attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Hopefully only a sintaxis problem.
Hi All: My problem probably is silly but is a pain in a knee for me. I have a cvs file from I need to pull some data in a QUERY. My cvs file have some name fields that end in the caracter ?.CF report me an error when I try to pull one this field in my query. Down here and example and what I see in the browser. Any ideas to overcome this pain??. Thanks in advance for any help Mario //CF code cfquery name=InstrLedAttQuery datasource=EkOutsideFilescvs dbtype=ODBC SELECT xx? FROM InstrLedAtt#Item#.txt /cfquery //Error I see in the browser Error Occurred While Processing Request Error Diagnostic Information ODBC Error Code = 07001 (Wrong number of parameters) [Microsoft][ODBC Text Driver] Too few parameters. Expected 1. Hint: The cause of this error is usually that your query contains a reference to a field which does not exist. You should verify that the fields included in your query exist and that you have specified their names correctly. The error occurred while processing an element with a general identifier of (CFQUERY), occupying document position (201:1) to (201:78). Date/Time: 03/13/02 18:00:19 Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Remote Address: 66.109.35.50 _ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
That's what I thought. Man, you think you're an expert, and then some 13 year old somewhere makes you feel like a punk again :) Is there a good paper on Macromedia.com about this? I read some of the stuff but nothing seemed really on-point... -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? make sure you are at the latest MDAC and have all service pack applied for SQL. I think that the latest MDAC prevents attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Coldfusion Cert?
Thanks, I'll certainly keep that in mind. Yves -Original Message- From: Tim Painter [mailto:[EMAIL PROTECTED]] Sent: April 12, 2002 12:19 PM To: CF-Talk Subject: Re: Coldfusion Cert? If you take an exam more than 4 times in 90 days, it will show in the transcript. So you might want to think about it before taking the test.. http://www.brainbench.com/xml/bb/common/indfaqs.xml#bbtests_and_methodology_ attempts Tim P. - Original Message - From: Declan Maher [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Thursday, April 11, 2002 8:41 AM Subject: RE: Coldfusion Cert? You know that the Coldfusion 5 exam is free on brainbench.com. So you can take it anytime you like -Original Message- From: Yves Arsenault [mailto:[EMAIL PROTECTED]] Sent: 11 April 2002 13:11 To: CF-Talk Subject: RE: Coldfusion Cert? Thanks, I don't have alot of experience yet, but I may write it soon to get an idea of what I should work on Yves -Original Message- From: Declan Maher [mailto:[EMAIL PROTECTED]] Sent: April 11, 2002 8:54 AM To: CF-Talk Subject: RE: Coldfusion Cert? Brainbench Certification(tm) Test Overview Your Brainbench Certification(tm) test includes the following test modules: ColdFusion 5 For each Standard Skills Assessment, you will receive 40 questions. Each question is multiple choice with five choices. You must select the one best answer from the 5 choices in order to score a correct answer. You will have 180 seconds to answer each question. The time remaining for each question is displayed in the status bar at the bottom of your browser. If the time remaining falls below 30 seconds, the system will alert you with a warning message. If time expires on any question, that question will -Original Message- From: Yves Arsenault [mailto:[EMAIL PROTECTED]] Sent: 11 April 2002 12:46 To: CF-Talk Subject: RE: Coldfusion Cert? How many questions does the BrainBench exam have? I you don't mind me asking. Yves -Original Message- From: Declan Maher [mailto:[EMAIL PROTECTED]] Sent: April 11, 2002 6:04 AM To: CF-Talk Subject: RE: Coldfusion Cert? I took both. The differences are with the BB one you can keep your books and studio open if you want to and nobody knows so it may not be worth the paper its written on. If you do it genuinely then it is a difficult exam (CF4 version). You are asked unusual questions of stuff you may never have used. I certainly had never come across some of the stuff before. The official CF exam (CF5) is more straightforward. Hardly any ridiculous questions and a better reflection of whats important to know.I studied using: Ben Forta's Developer Study Guide which is essential and the Coldfusion Web Application Construction Toolkit. CF_buster http://www.centrasoft.com/default.cfm -This is fairly comprehensive series of tests similar to the real test. There are some tests on http://www.cfcertification.com/ and also www.forta.com. Take as many tests as you can. After all this I had 1.5 years experience at the time of taking and got the Advanced Cert. Regards, Declan -Original Message- From: Scott Van Vliet [mailto:[EMAIL PROTECTED]] Sent: 11 April 2002 07:25 To: CF-Talk Subject: RE: Coldfusion Cert? Has anyone taken both the MM CF Cert and the BB CF Cert? If so, what are (if any) the differences? TIA -Original Message- From: John Wilker [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 6:52 PM To: CF-Talk Subject: RE: Coldfusion Cert? If I recall the tests are still free but it's like 8 bucks to get the paper certificate mailed to you. I could be wrong I'm going off memory. Great site. J. John Wilker Web Applications Consultant, and Author Macromedia Certified ColdFusion Developer President/Founder, Inland Empire CFUG. www.red-omega.com more people are killed by donkeys than by airplane crashes each year -Original Message- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 6:38 PM To: CF-Talk Subject: Re: Coldfusion Cert? Yeah it is free right now, I just took it. Only scored a 3.0 I guess I need to study some more Success is a journey, not a destination!! Doug Brown - Original Message - From: Jeffry Houser [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, April 10, 2002 5:30 PM Subject: RE: Coldfusion Cert? Its not free anymore, although I do recommend taking a look at it nonetheless. (Its cheaper, and won't hurt your resume). I thought that the Brainbench test (last time I took it) was fairly heavy on Stored Procedures and Web protocols without enough emphasis on ColdFusion. At 03:31 PM 4/10/2002 -0700, you wrote: I would recommend taking a look at brainbench.com :) They have a free CF5 cert test. You can use it as a prep. http://www.brainbench.com David Schmidt
RE: Preventing SQL injection attacks...?
Dave, Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? make sure you are at the latest MDAC and have all service pack applied for SQL. I think that the latest MDAC prevents attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Crosspost: Escaping single quotes
Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CF-TALK in subject line
Filter on the To header instead. Most users don't want the extra text in the subject. HTH, -- Howie Hamlin - inFusion Project Manager On-Line Data Solutions, Inc. - www.CoolFusion.com - 631-737-4668 x101 inFusion Mail Server (iMS) - The Award-winning, Intelligent Mail Server Find out how iMS Stacks up to the competition: http://www.coolfusion.com/imssecomparison.cfm - Original Message - From: Mike Soultanian [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 11:38 AM Subject: OT: CF-TALK in subject line Hello everyone, Sorry for the OT post... I just joined this list and I was wondering if there's a way to prepend CF-TALK to the subject line. It's kinda difficult to differentiate this mail from my non-list mail. I understand the use of filters.. I just wanted to check if this list feature was available. Thanks! Mike __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
Most RDBMS's escape ' as '', so : #replace(str, ', '', all)# --- Billy Cravens -Original Message- From: Matthew R. Small [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:56 AM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: OT: CF-TALK in subject line
oi Mike!! why not just create a rule and check for [EMAIL PROTECTED] in the recipient field? -- Critz Certified Adv. ColdFusion Developer Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion Friday, April 12, 2002, 11:38:34 AM, you wrote: MS Hello everyone, MS Sorry for the OT post... MS I just joined this list and I was wondering if there's a way to prepend MS CF-TALK to the subject line. It's kinda difficult to differentiate this MS mail from my non-list mail. MS I understand the use of filters.. I just wanted to check if this list MS feature was available. MS Thanks! MS Mike MS __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Sending Message Alerts...
How is the best way to run the query every 30secs? Is it a scheduled task, or javascript, or -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 4:47 PM To: CF-Talk Subject: RE: Sending Message Alerts... hidden frames are the best way to do this. just a query that run in the hidden frame and everything say 30 seconds or so, retireve the information from the server and then you can use javascript to paste the message to another frame. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Bryan Love [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 4:43 PM To: CF-Talk Subject: RE: Sending Message Alerts... how complicated is the message? you can do it with image pipes... +---+ Bryan Love Macromedia Certified Professional Internet Application Developer Database Analyst Telecommunication Systems [EMAIL PROTECTED] +---+ ...'If there must be trouble, let it be in my day, that my child may have peace'... - Thomas Paine, The American Crisis -Original Message- From: Houk, Gary [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 1:41 PM To: CF-Talk Subject: Sending Message Alerts... We have an app that has roughly 4-5,000 users accessing it. We would like to be able to push a message to the user at anytime without them having to refresh a page. Is there a way to do this...Maybe using hidden frames or flash??? Thanks, - Gary __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF-TALK in subject line
In outlook, to avoid having to filter into different folders, you can actually create a filter which changes the color of the message. This allows you to keep everything in one folder, but highlight cf-talk messages. Same effect as a subject line. I actually use this technique to highlight certain authors on the list who I know always post accurate and good information. -Cameron - Cameron Childress On Contract at BioLab Inc. --- cell: 678-637-5072 aim: cameroncf email: [EMAIL PROTECTED] Hello everyone, Sorry for the OT post... I just joined this list and I was wondering if there's a way to prepend CF-TALK to the subject line. It's kinda difficult to differentiate this mail from my non-list mail. I understand the use of filters.. I just wanted to check if this list feature was available. __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
Thanks for the try, but it didn't work. Does anybody know how ColdFusion escapes a single quote when inserting/updating a database? - Matt Small -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:52 AM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes Most RDBMS's escape ' as '', so : #replace(str, ', '', all)# --- Billy Cravens -Original Message- From: Matthew R. Small [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:56 AM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Let's say your query is: Select productName from products where productID = #url.productid# If the url is page.cfm?productid=2 then your db sees Select productName from products where productID = 2 But if a hacker (I hate that term - may eternal scorn to given to those who usurped the term and used it as a synonym for cracker) enters this url: Page.cfm?productid=2;delete%20from%20products Then your DB sees: Select productName from products where productsID = 2;delete from products --- Billy Cravens -Original Message- From: Yager, Brian T Contractor/NCCIM [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:36 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Dave, Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? make sure you are at the latest MDAC and have all service pack applied for SQL. I think that the latest MDAC prevents attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
kewl link. they got some awesome info besides the sql stuff. good going jeff! Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Garza, Jeff [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:37 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? There was a real good white paper from NGSSoftware. It's called Advanced SQL Injection and can be found near the bottom of this page. http://www.nextgenss.com/research.html#papers Frightening... Jeff Garza Lead Developer/Webmaster Spectrum Astro, Inc. [EMAIL PROTECTED] http://www.spectrumastro.com -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? That's what I thought. Man, you think you're an expert, and then some 13 year old somewhere makes you feel like a punk again :) Is there a good paper on Macromedia.com about this? I read some of the stuff but nothing seemed really on-point... -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 8:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? make sure you are at the latest MDAC and have all service pack applied for SQL. I think that the latest MDAC prevents attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
To build on what Dave said, I like to use separate datasources for different permissions (easily set in CF Admin) - on most applications, I like having datasourcename_read with read permissions, datasourcename_delete with delete permissions, etc. This doesn't eliminate your problem, but it minimizes the risk of a delete, etc, on a simple select query. Of course, this should also be enforced at the DB security level - if you have a select-only datasource, there's no reason for the user for that dsn to have write permissions. --- Billy Cravens -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:40 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? There are a number of things you can do to address this: 1. Apply a generic input filter to your web server. 2. Validate all data sent to your application. 3. Limit the application's rights to the database. 4. Use stored procedures exclusively. Typically, you should at least do the second and third items listed. The primary issue is one of data validation - making sure that values contain the appropriate datatype, and if they're string values, that they don't contain metacharacters that would allow the execution of code. Another essential item is to limit what rights your application has within the database; typically, your application should only have rights to read and write data. If you use stored procedures exclusively, you can limit the application's rights even further, only allowing it to execute the stored procedures. Note that you can do this entirely within the database: create a login and give it the specified rights, then use that login within your application's datasource. You can also configure the datasource itself to limit rights, which is also good but is no substitute for doing so within the database itself. As mentioned in the first item, you can use an input filter, which is a piece of software you install on your web server. There are several available for IIS, such as Microsoft's free URLScan tool or eEye's SecureIIS: http://www.microsoft.com/technet/security/ http://www.eeye.com/ I'd recommend that you perform data validation within your application in any case, though. These sorts of issues are covered in Fig Leaf Software's Securing ColdFusion Servers on Windows one-day seminar, if you're interested in that: http://training.figleaf.com/figleaftraining/Courses/Securing-ColdFusion- Serv ers-on-Windows.cfm I'm also going to talk about input filtering at the CF_NORTH conference, I think: http://www.cfnorth.com/Agenda/CFnorthCore.cfm?page=Topics Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Client/Session/CFID/CFconfused
Hey Everyone, Newbie here... just purchased a copy of Rob Brooks-Bilson's Programming ColdFusion a few weeks back and I think I'm hooked on this stuff.. I have never done any previous database web dev. but I have done plenty of HTML. Well, I just built a message forum and database driven calendar, and now I'm going to dig in and figure out user logins. I was looking at session/cookie/client variables and had a couple questions. I would like to have my site remember a user's setting if they request it. So, I figure that I'll use a single cookie that stores a unique user-id in a cookie and then request that cookie and reference it against the user database for the rest of their configuration (username, email, etc) What I'm somewhat confused about is if I need to enable client management to use cookies? And do I need session management if I want to make use of session variables, or does that just make the app create CFID and CFTOKEN. Here's what I'm guessing, and I was hoping someone could tell me if I'm right or wrong.. cfapplication name = application_name clientManagement = No setClientCookies = No sessionManagement = Yes/No??? - do I need this? sessionTimeout = #CreateTimeSpan(0, 0, 30, 0)# applicationTimeout = #CreateTimeSpan(0, 0, 30, 0)# Hopefully that makes sense... Thanks! Mike -- [...] __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
This is probably the biggest security problem with web applications. It boils down to securing and validating your input. Most of these attacks are successful only when you're evaluating a number - since a string won't execute SQL, but only evaluate it as a string input. So if you're expecting numbers, then validate, using isNumeric() or CFQueryParam. --- Billy Cravens -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
stored procedures are your friends. they enforce strict datatypes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 12 April 2002 17:11 To: CF-Talk Subject: RE: Preventing SQL injection attacks...? This is probably the biggest security problem with web applications. It boils down to securing and validating your input. Most of these attacks are successful only when you're evaluating a number - since a string won't execute SQL, but only evaluate it as a string input. So if you're expecting numbers, then validate, using isNumeric() or CFQueryParam. --- Billy Cravens -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Client/Session/CFID/CFconfused
Hi Mike, welcome to the CF community! I would like to have my site remember a user's setting if they request it. So, I figure that I'll use a single cookie that stores a unique user-id in a cookie and then request that cookie and reference it against the user database for the rest of their configuration (username, email, etc) For basic display prefs, a single value is fine, but once you start getting into sites that require more security, consider using two cookies (an id and a session hash) instead of just one. What I'm somewhat confused about is if I need to enable client management to use cookies? And do I need session management if I want to make use of session variables, or does that just make the app create CFID and CFTOKEN. Here's what I'm guessing, and I was hoping someone could tell me if I'm right or wrong.. If you just want to set your own cookies, client/session management does not need to be enabled. You should only leave these types of variables turned on if you are planning on using them. For what you're wanting to do, it would probably be wise to just disable CF's state-management and use your own cookie(s) to handle the prefs. Just remember that there are any number of ways to handle user sessions, and you will get a different answer no matter who you ask. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
won't execute SQL, but only evaluate it as a string input. So if you're expecting numbers, then validate, using isNumeric() or CFQueryParam. Or if you know a value must be numeric, wrap a val() around it. That will knock any text strings down to 0 and prevent an SQL error from being thrown, as well as allow your app to handle the empty record set just as if any other invalid numeric value had been tossed at it. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
you can't forget that form fields also play a part in this. after reading the informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numberic values (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validation even after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. although SQL server doesn't support regular expressions , which sucks! anyone know a way it could? Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:36 PM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
There is a custom tag... cf_formfilter on the developers exchange that I've been using... It searches the caller.form.fieldnames structure looking for all sorts of nasty includes. After just reading it again I think I can also make it filter url submitted input as well. Anyone here use or have comments on this tags limitations? Was an easy first step for me but I am suddenly worried about url hacks as well. Brian At 08:17 AM 4/12/02 -0700, you wrote: Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
Page.cfm?productid=2;delete%20from%20products Then your DB sees: Select productName from products where productsID = 2;delete from products --- or worse : Page.cfm?productid=2;drop%table%products; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:01 PM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Let's say your query is: Select productName from products where productID = #url.productid# If the url is page.cfm?productid=2 then your db sees Select productName from products where productID = 2 But if a hacker (I hate that term - may eternal scorn to given to those who usurped the term and used it as a synonym for cracker) enters this url: Page.cfm?productid=2;delete%20from%20products Then your DB sees: Select productName from products where productsID = 2;delete from products --- Billy Cravens -Original Message- From: Yager, Brian T Contractor/NCCIM [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:36 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? Dave, Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:30 AM To: CF-Talk Subject: RE: Preventing SQL injection attacks...? make sure you are at the latest MDAC and have all service pack applied for SQL. I think that the latest MDAC prevents attacks like this, but I could be wrong. No, MDAC does nothing to prevent SQL injection attacks, which, after all, use perfectly valid SQL statements. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Printing from A Pop-up
Works in IE 5 and 6, does not work in NS4.73 nor NS6.2. Thanks, Mark -Original Message- From: Tim Painter [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:14 AM To: CF-Talk Subject: Re: Printing from A Pop-up Mark, You can stick this in your head tag of the page: link rel=alternate media=print href=someotherpage.cfm?var1=foo So when the user clicks on print, it will request the page and print that one instead. I am not sure if it works on Netscape. Tim P. - Original Message - From: Mark Leder [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 10:43 AM Subject: Printing from A Pop-up I have a popup window with some summary content. When a button is clicked in the popup (JS routine), I want to print a hidden page with detailed content (the information is passed from the popup to the hidden page). I don't want the user to view the hidden page. Is this even possible? Thanks, Mark __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
[EMAIL PROTECTED] wrote: you can't forget that form fields also play a part in this. after reading the informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numberic values (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validation even after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. although SQL server doesn't support regular expressions , which sucks! anyone know a way it could? why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF - Problem with missing Form Data
try renaming the field from JOB_ID to job. it think that might be an illegal name. kinda like naming a field creation_date. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Bryan Love [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:07 PM To: CF-Talk Subject: RE: CF - Problem with missing Form Data did anyone ever solve this?? I had a similar problem years ago trying to pass 3,000-character strings through hidden fields and I'm dying to know the answer... -Original Message- From: Vishal Narayan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 10, 2002 8:42 PM To: CF-Talk Subject: CF - Problem with missing Form Data We are using CF4.5 with IIS5 on W2K server and SQL 2000 DB for our website. I have a big problem with users getting random errors about missing parameters - either form data or url parameters. The required form fields are validated for using javascript, which ensures that the problem is not caused by necessary fields being left unfilled. A sample of such an error is shown below : --- 203.199.247.72 Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) An error occurred while evaluating the expression: #form.job_id# Error near line 57, column 13. Error resolving parameter FORM.JOB_ID The specified form field cannot be found. This problem is very likely due to the fact that you have misspelled the form field name. The error occurred while processing an element with a general identifier of (#form.job_id#), occupying document position (57:12) to (57:24) in the template file D:\Inetpub\wwwroot\mysite\myfilename.cfm. The page doing the referring is validated, and the error log shows that they are in fact being referred from the correct template. I know that the template doing the referring contains the specified form field. Is the browser somehow losing data? Is CF or IIS to blame ? Would like to know if anyone else has faced this problem, and what I can do to handle it. Thanks in anticipation. Vishal. __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Preventing SQL injection attacks...?
cfparam type=date|numeric|string|boolean|UUID|... can be used for validating almost anything. It's an underused function. Sharon DiOrio - Original Message - From: Justin Scott [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 12:30 PM Subject: Re: Preventing SQL injection attacks...? won't execute SQL, but only evaluate it as a string input. So if you're expecting numbers, then validate, using isNumeric() or CFQueryParam. Or if you know a value must be numeric, wrap a val() around it. That will knock any text strings down to 0 and prevent an SQL error from being thrown, as well as allow your app to handle the empty record set just as if any other invalid numeric value had been tossed at it. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
From the CF4.5 Language Reference - PreserveSingleQuotes - Prevents ColdFusion from automatically escaping single quotes contained in variable. What is going on is I have a CFGRID that I have to manually update because it throws an error if I use CFGRIDUPDATE. My own code which does the update and insert works perfect except when it encounters the string Teacher's. For some reason that I don't know, the single quote does not get escaped when I pull it from the variable FORM.EDITTABLE.SIZE[i]. I can't figure out what to do. I want the single quote to be escaped so that it will insert into the database without error. I've already tried the function #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work for me. Anybody got any ideas what's going on? Thanks, - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:49 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
this still doesn't look like it would stop someone from entering in a ' into the string and then executing a sql statement. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Sharon Diorio [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? cfparam type=date|numeric|string|boolean|UUID|... can be used for validating almost anything. It's an underused function. Sharon DiOrio - Original Message - From: Justin Scott [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 12:30 PM Subject: Re: Preventing SQL injection attacks...? won't execute SQL, but only evaluate it as a string input. So if you're expecting numbers, then validate, using isNumeric() or CFQueryParam. Or if you know a value must be numeric, wrap a val() around it. That will knock any text strings down to 0 and prevent an SQL error from being thrown, as well as allow your app to handle the empty record set just as if any other invalid numeric value had been tossed at it. -Justin Scott, Lead Developer Sceiron Internet Services, Inc. http://www.sceiron.com __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
What error are you getting? What database are you using? Have you tried outputting the data after you submit it to see what you are getting? At 01:38 PM 4/12/2002 -0400, you wrote: From the CF4.5 Language Reference - PreserveSingleQuotes - Prevents ColdFusion from automatically escaping single quotes contained in variable. What is going on is I have a CFGRID that I have to manually update because it throws an error if I use CFGRIDUPDATE. My own code which does the update and insert works perfect except when it encounters the string Teacher's. For some reason that I don't know, the single quote does not get escaped when I pull it from the variable FORM.EDITTABLE.SIZE[i]. I can't figure out what to do. I want the single quote to be escaped so that it will insert into the database without error. I've already tried the function #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work for me. Anybody got any ideas what's going on? Thanks, - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:49 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Preventing SQL injection attacks...?
cfqueryparam does in fact prevent that code from running. cfqueryparam creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_DECIMAL and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_VARCHAR It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? let's say you have a text field that is 100 characters long. you can still get a drop table tablename appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: you can't forget that form fields also play a part in this. after readingthe informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numbericvalues (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validationeven after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. althoughSQL server doesn't support regular expressions , which sucks! anyone know a way it could? why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Deadlock
This is not a CF error. This is a SQL Server error. What are you doing in your SQL that would cause such deadlocks? - Original Message - From: Semrau, Steven L Mr RDAISA/SRA [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:39 am Subject: RE: Deadlock Read up on CFLOCK it talks about Deadlocks and the possible reasons why. -Original Message- From: Justin Waldrip [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:10 PM To: CF-Talk Subject: Deadlock Your transaction (process ID #39) was deadlocked with another process and has been chosen as the deadlock victim. Rerun your transaction. I am receiving quite a few of these errors in a row. Where is a good place to start looking for things that might cause this? Thanks, Justin __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
This is the offending line: ,SIZE = '#FORM.EDITTABLE.SIZE[i]#' and the cfoutput of that line: ,SIZE = 'Teacher's Solo' Here is the error: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive' where id = 1'. If I remove the line where Teacher's Solo occurs then it works great. - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What error are you getting? What database are you using? Have you tried outputting the data after you submit it to see what you are getting? At 01:38 PM 4/12/2002 -0400, you wrote: From the CF4.5 Language Reference - PreserveSingleQuotes - Prevents ColdFusion from automatically escaping single quotes contained in variable. What is going on is I have a CFGRID that I have to manually update because it throws an error if I use CFGRIDUPDATE. My own code which does the update and insert works perfect except when it encounters the string Teacher's. For some reason that I don't know, the single quote does not get escaped when I pull it from the variable FORM.EDITTABLE.SIZE[i]. I can't figure out what to do. I want the single quote to be escaped so that it will insert into the database without error. I've already tried the function #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work for me. Anybody got any ideas what's going on? Thanks, - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:49 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
FW: Preventing SQL injection attacks...?
Sorry Dave...Didn't mean to send that just to you...My mistake! I never really thought of anything like this. Can session variables be compromised doing the same thing.. http://mydomain.com/index.cfm?session.password=whatever If so, this would be very upsetting to me. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:36 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: Preventing SQL injection attacks...? Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.org/asac/input_validation/sql.shtml Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: FW: Preventing SQL injection attacks...?
No. That would end up the URL scope: url.session.password - Original Message - From: Yager, Brian T Contractor/NCCIM [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:55 am Subject: FW: Preventing SQL injection attacks...? Sorry Dave...Didn't mean to send that just to you...My mistake! I never really thought of anything like this. Can session variables be compromised doing the same thing.. http://mydomain.com/index.cfm?session.password=whatever If so, this would be very upsetting to me. Thanks, Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:36 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: Preventing SQL injection attacks...? Could you show me an example of an SQL injection attack? I want to test my app to see what I need to do to protect against this. All of these sorts of attacks rely on tampering with form or URL data to add SQL statements directly to that data, on the assumption that the data may be used in an SQL query, in which case the tampered data may execute within the SQL database. Typically, you'll see examples where you've got a URL like this: http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable However, in real life, typically you won't attacks like that because there's nothing to gain from dropping a table or deleting records. Real attacks are usually more subtle and useful to the attacker. One of my favorites is the use of the SQL Server system stored procedure xp_cmdshell to open a command shell, which can be used to fetch a file from an attacker's FTP server and run it. That's much more interesting. Note also that most of the examples you'll see will show tampered URL data, but you can do the same thing with form data almost as easily. Here's a URL which describes SQL injection attacks: http://www.owasp.or Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
I haven't used this tag, but did write an in-house UDF that is called in Application.cfm. It simply loops through all form, url, and cookie parameters and replaces a single quote with chr(96) (hope I got that right), and strips HTML tags. It would be very easy to change this to also strip out semi-colons. The logic/code required is very simple to do. There's a few samples of stuff like this at www.cflib.org. This is a filtering method, and may not catch everything, but with this, and our use of stored procs where we can, and CFQUERYPARAM, I don't think we are open to this attack. hmmm... I better go test that to be sure grins Shawn Grover -Original Message- From: Brian Scandale [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:53 AM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? There is a custom tag... cf_formfilter on the developers exchange that I've been using... It searches the caller.form.fieldnames structure looking for all sorts of nasty includes. After just reading it again I think I can also make it filter url submitted input as well. Anyone here use or have comments on this tags limitations? Was an easy first step for me but I am suddenly worried about url hacks as well. Brian At 08:17 AM 4/12/02 -0700, you wrote: Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
CFMAIL Attachment prob...
This is a sample of code: cfdirectory action=LIST directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\ name=mydir cfmail from=#email_from# to=#email_to# bcc=#email_bcc# cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com cfmailparam name=Reply-To value=Administrateur [EMAIL PROTECTED] Thank you for trying From:#email_from# To:#email_to# Cc:#email_cc# Bcc:#email_bcc# Date:#DateFormat(email_dateSent,dd/mm/)# Subject: #email_sujet# Body: #email_body# cfmailparam file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name# /cfmail I've been getting this message: Unable to attach file. Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the mail message. The file does not exist. The error occurred while processing an element with a general identifier of (CFMAIL), occupying document position (8:1) to (8:130). The path in the CFMAILPARAM tag is supposed to be the actual address on the server. At least that's what I was told this afternoon by one of the techs. Any Ideas? Also, can I use something like ExpandPath(//attach/#whatever#) in a CFMAILPARAM tag? Thanks alot all, I work in a school with alot of kids around..my brain is turning to fudge from all the noise!! Yves Arsenault Carrefour Infotech 5,promenade Acadian Charlottetown, IPE C1C 1M2 [EMAIL PROTECTED] (902)368-1895 ext.242 ICQ #117650823 __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Preventing SQL injection attacks...?
still. if i had the value tony ' drop table tablename-- and a cfqueryparam with a type of CF_SQL_VARCHAR it would still pass in the value as such select * from mytable where username = 'tony ' drop table tablename--' which would cause the table to be dropped. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:45 PM To: CF-Talk Subject: Re: RE: Preventing SQL injection attacks...? cfqueryparam does in fact prevent that code from running. cfqueryparam creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_DECIMAL and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_VARCHAR It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? let's say you have a text field that is 100 characters long. you can still get a drop table tablename appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: you can't forget that form fields also play a part in this. after readingthe informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numbericvalues (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validationeven after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. althoughSQL server doesn't support regular expressions , which sucks! anyone know a way it could? why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Preventing SQL injection attacks...?
http://www.houseoffusion.com/hof/security/database.cfm Joe Hoffman mailto:[EMAIL PROTECTED] National Institutes of Health Center for Information Technology Division of Computer System Services -Original Message- From: Ian Lurie [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:17 AM To: CF-Talk Subject: Preventing SQL injection attacks...? Hi all, Had some interesting errors in our logs yesterday. It appears that someone's trying to hack our database by inserting SQL query language into the URL string. We're doing all the standard security measures, including filtering for single quotes, using database passwords, and the like, and we locked out their IP immediately. But really, how do you prevent this? Any ideas/feedback out there? Ian Portent Interactive Helping clients build customer relationships on the web since 1995 Consulting, design, development, measurement http://www.portentinteractive.com __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Deadlock
are you using cftransaction tags? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:50 PM To: CF-Talk Subject: Re: RE: Deadlock This is not a CF error. This is a SQL Server error. What are you doing in your SQL that would cause such deadlocks? - Original Message - From: Semrau, Steven L Mr RDAISA/SRA [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:39 am Subject: RE: Deadlock Read up on CFLOCK it talks about Deadlocks and the possible reasons why. -Original Message- From: Justin Waldrip [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:10 PM To: CF-Talk Subject: Deadlock Your transaction (process ID #39) was deadlocked with another process and has been chosen as the deadlock victim. Rerun your transaction. I am receiving quite a few of these errors in a row. Where is a good place to start looking for things that might cause this? Thanks, Justin __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: RE: Preventing SQL injection attacks...?
What if you added a replace statement, doubling up on all single quotes?... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:47 AM To: CF-Talk Subject: RE: RE: Preventing SQL injection attacks...? still. if i had the value tony ' drop table tablename-- and a cfqueryparam with a type of CF_SQL_VARCHAR it would still pass in the value as such select * from mytable where username = 'tony ' drop table tablename--' which would cause the table to be dropped. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:45 PM To: CF-Talk Subject: Re: RE: Preventing SQL injection attacks...? cfqueryparam does in fact prevent that code from running. cfqueryparam creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_DECIMAL and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_VARCHAR It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? let's say you have a text field that is 100 characters long. you can still get a drop table tablename appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: you can't forget that form fields also play a part in this. after readingthe informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numbericvalues (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validationeven after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. althoughSQL server doesn't support regular expressions , which sucks! anyone know a way it could? why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CFMAIL Attachment prob...
Sample...first the file has to be uplloaded to the server CFFILE ACTION=upload filefield=fileToSend destination=D:\mail_files\ nameconflict=MAKEUNIQUE CFMAIL server=mail.ircproductions.com TO= FROM= SUBJECT= CFMAILPARAM file=D:\mail_files\#file.serverFile# /CFMAIL Success is a journey, not a destination!! Doug Brown - Original Message - From: Yves Arsenault [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 11:09 AM Subject: CFMAIL Attachment prob... This is a sample of code: cfdirectory action=LIST directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\ name=mydir cfmail from=#email_from# to=#email_to# bcc=#email_bcc# cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com cfmailparam name=Reply-To value=Administrateur [EMAIL PROTECTED] Thank you for trying From:#email_from# To:#email_to# Cc:#email_cc# Bcc:#email_bcc# Date:#DateFormat(email_dateSent,dd/mm/)# Subject: #email_sujet# Body: #email_body# cfmailparam file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name# /cfmail I've been getting this message: Unable to attach file. Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the mail message. The file does not exist. The error occurred while processing an element with a general identifier of (CFMAIL), occupying document position (8:1) to (8:130). The path in the CFMAILPARAM tag is supposed to be the actual address on the server. At least that's what I was told this afternoon by one of the techs. Any Ideas? Also, can I use something like ExpandPath(//attach/#whatever#) in a CFMAILPARAM tag? Thanks alot all, I work in a school with alot of kids around..my brain is turning to fudge from all the noise!! Yves Arsenault Carrefour Infotech 5,promenade Acadian Charlottetown, IPE C1C 1M2 [EMAIL PROTECTED] (902)368-1895 ext.242 ICQ #117650823 __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFMAIL Attachment prob...
My upload code goes like this (sorry I didn't include it): cfif IsDefined(FORM.Attach1) cffile action=UPLOAD destination=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\ nameconflict=MAKEUNIQUE filefield=attach1 cfset CLIENT.Attach1Name=CFFILE.ClientFile cfset CLIENT.Attach1Size=CFFILE.FileSize cfif CLIENT.Attach1Size GT SizeLimit cffile action=DELETE file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#CLIENT.Attach1Nam e# cfset DeleteClientVariable(Attach1Name) cfset DeleteClientVariable(Attach1Size) cflocation url=dspAdmAttach.cfm?FileBig=yes /cfif cflocation url=dspAdmAttach.cfm?list=Attach2 /cfif It also runs a check on the file size with the SizeLimit Var. I also check the Directory with my FTP client after it was uploaded and it was there, I just get that error with the CFMAILPARAM tag... Yves -Original Message- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: April 12, 2002 3:36 PM To: CF-Talk Subject: Re: CFMAIL Attachment prob... Sample...first the file has to be uplloaded to the server CFFILE ACTION=upload filefield=fileToSend destination=D:\mail_files\ nameconflict=MAKEUNIQUE CFMAIL server=mail.ircproductions.com TO= FROM= SUBJECT= CFMAILPARAM file=D:\mail_files\#file.serverFile# /CFMAIL Success is a journey, not a destination!! Doug Brown - Original Message - From: Yves Arsenault [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 11:09 AM Subject: CFMAIL Attachment prob... This is a sample of code: cfdirectory action=LIST directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\ name=mydir cfmail from=#email_from# to=#email_to# bcc=#email_bcc# cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com cfmailparam name=Reply-To value=Administrateur [EMAIL PROTECTED] Thank you for trying From:#email_from# To:#email_to# Cc:#email_cc# Bcc:#email_bcc# Date:#DateFormat(email_dateSent,dd/mm/)# Subject: #email_sujet# Body: #email_body# cfmailparam file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name# /cfmail I've been getting this message: Unable to attach file. Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the mail message. The file does not exist. The error occurred while processing an element with a general identifier of (CFMAIL), occupying document position (8:1) to (8:130). The path in the CFMAILPARAM tag is supposed to be the actual address on the server. At least that's what I was told this afternoon by one of the techs. Any Ideas? Also, can I use something like ExpandPath(//attach/#whatever#) in a CFMAILPARAM tag? Thanks alot all, I work in a school with alot of kids around..my brain is turning to fudge from all the noise!! Yves Arsenault Carrefour Infotech 5,promenade Acadian Charlottetown, IPE C1C 1M2 [EMAIL PROTECTED] (902)368-1895 ext.242 ICQ #117650823 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CFMAIL Attachment prob...
try this CFMAILPARAM file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#file.serverfile# Success is a journey, not a destination!! Doug Brown - Original Message - From: Yves Arsenault [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 11:43 AM Subject: RE: CFMAIL Attachment prob... My upload code goes like this (sorry I didn't include it): cfif IsDefined(FORM.Attach1) cffile action=UPLOAD destination=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\ nameconflict=MAKEUNIQUE filefield=attach1 cfset CLIENT.Attach1Name=CFFILE.ClientFile cfset CLIENT.Attach1Size=CFFILE.FileSize cfif CLIENT.Attach1Size GT SizeLimit cffile action=DELETE file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#CLIENT.Attach1Nam e# cfset DeleteClientVariable(Attach1Name) cfset DeleteClientVariable(Attach1Size) cflocation url=dspAdmAttach.cfm?FileBig=yes /cfif cflocation url=dspAdmAttach.cfm?list=Attach2 /cfif It also runs a check on the file size with the SizeLimit Var. I also check the Directory with my FTP client after it was uploaded and it was there, I just get that error with the CFMAILPARAM tag... Yves -Original Message- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: April 12, 2002 3:36 PM To: CF-Talk Subject: Re: CFMAIL Attachment prob... Sample...first the file has to be uplloaded to the server CFFILE ACTION=upload filefield=fileToSend destination=D:\mail_files\ nameconflict=MAKEUNIQUE CFMAIL server=mail.ircproductions.com TO= FROM= SUBJECT= CFMAILPARAM file=D:\mail_files\#file.serverFile# /CFMAIL Success is a journey, not a destination!! Doug Brown - Original Message - From: Yves Arsenault [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 11:09 AM Subject: CFMAIL Attachment prob... This is a sample of code: cfdirectory action=LIST directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\ name=mydir cfmail from=#email_from# to=#email_to# bcc=#email_bcc# cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com cfmailparam name=Reply-To value=Administrateur [EMAIL PROTECTED] Thank you for trying From:#email_from# To:#email_to# Cc:#email_cc# Bcc:#email_bcc# Date:#DateFormat(email_dateSent,dd/mm/)# Subject: #email_sujet# Body: #email_body# cfmailparam file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name# /cfmail I've been getting this message: Unable to attach file. Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the mail message. The file does not exist. The error occurred while processing an element with a general identifier of (CFMAIL), occupying document position (8:1) to (8:130). The path in the CFMAILPARAM tag is supposed to be the actual address on the server. At least that's what I was told this afternoon by one of the techs. Any Ideas? Also, can I use something like ExpandPath(//attach/#whatever#) in a CFMAILPARAM tag? Thanks alot all, I work in a school with alot of kids around..my brain is turning to fudge from all the noise!! Yves Arsenault Carrefour Infotech 5,promenade Acadian Charlottetown, IPE C1C 1M2 [EMAIL PROTECTED] (902)368-1895 ext.242 ICQ #117650823 __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Deadlock
It's important to first understand the nature of a deadlock. Let's say you have the following two chunks of code anywhere in your app: CFLOCK session.myVar1 and read session.myVar2 inside the lock CFLOCK session.myVar2 and read session.myVar1 inside the lock If these two chunks of code are ever executed by different threads at the same time you have a deadlock because each lock is waiting for the other to finish. Look through your code and make sure you don't have any issues like this one Bryan Love -Original Message- From: Justin Waldrip [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 10:10 AM To: CF-Talk Subject: Deadlock Your transaction (process ID #39) was deadlocked with another process and has been chosen as the deadlock victim. Rerun your transaction. I am receiving quite a few of these errors in a row. Where is a good place to start looking for things that might cause this? Thanks, Justin __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CFMAIL Attachment prob...
Have you verified that the file is getting uploaded? Brian Yager President - North AL Cold Fusion Users Group Sr. Systems Analyst NCCIM/CIC [EMAIL PROTECTED] (256) 842-8342 -Original Message- From: Yves Arsenault [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:10 PM To: CF-Talk Subject: CFMAIL Attachment prob... This is a sample of code: cfdirectory action=LIST directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\ name=mydir cfmail from=#email_from# to=#email_to# bcc=#email_bcc# cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com cfmailparam name=Reply-To value=Administrateur [EMAIL PROTECTED] Thank you for trying From:#email_from# To:#email_to# Cc:#email_cc# Bcc:#email_bcc# Date:#DateFormat(email_dateSent,dd/mm/)# Subject: #email_sujet# Body: #email_body# cfmailparam file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name# /cfmail I've been getting this message: Unable to attach file. Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the mail message. The file does not exist. The error occurred while processing an element with a general identifier of (CFMAIL), occupying document position (8:1) to (8:130). The path in the CFMAILPARAM tag is supposed to be the actual address on the server. At least that's what I was told this afternoon by one of the techs. Any Ideas? Also, can I use something like ExpandPath(//attach/#whatever#) in a CFMAILPARAM tag? Thanks alot all, I work in a school with alot of kids around..my brain is turning to fudge from all the noise!! Yves Arsenault Carrefour Infotech 5,promenade Acadian Charlottetown, IPE C1C 1M2 [EMAIL PROTECTED] (902)368-1895 ext.242 ICQ #117650823 __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: Preventing SQL injection attacks...?
This code would fail my own code review. I don't allow any url. or form. variables inside CFQUERY statements. This, however, might pass. !--- Validate ID --- cfif #isdefined(id)# is true cfset theId=#val(htmleditformat(REreplacenocase(id, [*,;^:?|\], , ALL )))# cfelse cfset theId=0 /cfif !--- update time of last visit for this user --- cfquery name=queryit datasource=#dsn# update people set updated = '#dateformat(now(), MM/DD/)#' where peopleid = cfqueryparam value=#theid# cfsqltype=cf_sql_integer /cfquery (Note: I am not using CFQueryParam here as a validation tool. I already know the variable is an integer. This query is from a header and will fire every page load so I want successive queries to run from cache on the Database server.) Good Fortune, Richard Walters, Webmaster, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x 3525 [EMAIL PROTECTED] 04/12/02 01:44PM cfqueryparam does in fact prevent that code from running. cfqueryparam creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_DECIMAL and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_VARCHAR It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? let's say you have a text field that is 100 characters long. you can still get a drop table tablename appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: you can't forget that form fields also play a part in this. after readingthe informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numbericvalues (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server-side validationeven after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. althoughSQL server doesn't support regular expressions , which sucks! anyone know a way it could? why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
If you're trying to perserve the quotes so that SQL will recognize them and end or begin a string, then you use perservesinglequotes(). If you are trying to escape a single quote but keep it in your database, then you need to use htmleditformat(). Good Fortune, Richard Walters, Webmaster, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x 3525 [EMAIL PROTECTED] 04/12/02 02:54PM What is the full query? I really think that Preserve Single Quotes is supposed to handle this. I know you said that it wasn't working, but do you get the same error if you do this: ,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#' At 01:59 PM 4/12/2002 -0400, you wrote: This is the offending line: ,SIZE = '#FORM.EDITTABLE.SIZE[i]#' and the cfoutput of that line: ,SIZE = 'Teacher's Solo' Here is the error: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive' where id = 1'. If I remove the line where Teacher's Solo occurs then it works great. - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What error are you getting? What database are you using? Have you tried outputting the data after you submit it to see what you are getting? At 01:38 PM 4/12/2002 -0400, you wrote: From the CF4.5 Language Reference - PreserveSingleQuotes - Prevents ColdFusion from automatically escaping single quotes contained in variable. What is going on is I have a CFGRID that I have to manually update because it throws an error if I use CFGRIDUPDATE. My own code which does the update and insert works perfect except when it encounters the string Teacher's. For some reason that I don't know, the single quote does not get escaped when I pull it from the variable FORM.EDITTABLE.SIZE[i]. I can't figure out what to do. I want the single quote to be escaped so that it will insert into the database without error. I've already tried the function #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work for me. Anybody got any ideas what's going on? Thanks, - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:49 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
Well, Jeffrey, I hadn't actually tried the function so I figured I might as well give it a shot. It didn't work. Just in time compilation error Invalid parser construct found on line 48 at position 55. ColdFusion was looking at the following text: [ Invalid expression format. The usual cause is an error in the expression structure. This is line 48 ,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#' Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 2:54 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What is the full query? I really think that Preserve Single Quotes is supposed to handle this. I know you said that it wasn't working, but do you get the same error if you do this: ,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#' At 01:59 PM 4/12/2002 -0400, you wrote: This is the offending line: ,SIZE = '#FORM.EDITTABLE.SIZE[i]#' and the cfoutput of that line: ,SIZE = 'Teacher's Solo' Here is the error: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive' where id = 1'. If I remove the line where Teacher's Solo occurs then it works great. - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What error are you getting? What database are you using? Have you tried outputting the data after you submit it to see what you are getting? At 01:38 PM 4/12/2002 -0400, you wrote: From the CF4.5 Language Reference - PreserveSingleQuotes - Prevents ColdFusion from automatically escaping single quotes contained in variable. What is going on is I have a CFGRID that I have to manually update because it throws an error if I use CFGRIDUPDATE. My own code which does the update and insert works perfect except when it encounters the string Teacher's. For some reason that I don't know, the single quote does not get escaped when I pull it from the variable FORM.EDITTABLE.SIZE[i]. I can't figure out what to do. I want the single quote to be escaped so that it will insert into the database without error. I've already tried the function #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work for me. Anybody got any ideas what's going on? Thanks, - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:49 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Quicky
cfset Field1 = Right(Field1, 12) = Russel Madere Senior Software Engineer Turbo Squid, Inc. http://www.turbosquid.com Is your head tag nested within your body tag? -Original Message- From: Janine Jakim [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 2:15 PM To: CF-Talk Subject: Quicky I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: RE: Preventing SQL injection attacks...?
No, it won't. It'll produce the SQL equivalent of: select * from mytable where username = 'tony ''drop table tablename --' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:46 am Subject: RE: RE: Preventing SQL injection attacks...? still. if i had the value tony ' drop table tablename-- and a cfqueryparam with a type of CF_SQL_VARCHAR it would still pass in the value as such select * from mytable where username = 'tony ' drop table tablename--' which would cause the table to be dropped. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:45 PM To: CF-Talk Subject: Re: RE: Preventing SQL injection attacks...? cfqueryparam does in fact prevent that code from running. cfqueryparam creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_DECIMAL and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_VARCHAR It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? let's say you have a text field that is 100 characters long. you can still get a drop table tablename appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: you can't forget that form fields also play a part in this. after readingthe informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numbericvalues (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server- side validationeven after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. althoughSQL server doesn't support regular expressions , which sucks! anyone know a way it could? why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Quicky
cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Quicky
Whooo sorry ... (I should have said 12, someone said 9 as I was typing)... Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Quicky
The other poster had it right, but just to be anal, bare in mind yo dont need either the quotes or pounds below. Simply use: right(field1,12) not #right(field1,12)# Yes, I'm being anal. ;) === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email: [EMAIL PROTECTED] Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:27 PM To: CF-Talk Subject: Re: Quicky cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Quicky
Anal is good!!! Just think what our code would look like if we were not full of analisms Success is a journey, not a destination!! Doug Brown - Original Message - From: Raymond Camden [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 12:30 PM Subject: RE: Quicky The other poster had it right, but just to be anal, bare in mind yo dont need either the quotes or pounds below. Simply use: right(field1,12) not #right(field1,12)# Yes, I'm being anal. ;) === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email: [EMAIL PROTECTED] Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:27 PM To: CF-Talk Subject: Re: Quicky cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
Well, that isn't a database error, at least. It seems to be spitting up on the '[' character. It is a fairly complicated variable structure (Is it structures of structures or just variable names with dots in them? ) Maybe you need to play around with pound signs? '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[#i#])#' I'm stuck and without database / code to attempt to debug against, I don't think there is much other help I could offer. Did you try HTMLEditFormat as someone else had suggested? At 03:27 PM 4/12/2002 -0400, you wrote: Well, Jeffrey, I hadn't actually tried the function so I figured I might as well give it a shot. It didn't work. Just in time compilation error Invalid parser construct found on line 48 at position 55. ColdFusion was looking at the following text: [ Invalid expression format. The usual cause is an error in the expression structure. This is line 48 ,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#' Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 2:54 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What is the full query? I really think that Preserve Single Quotes is supposed to handle this. I know you said that it wasn't working, but do you get the same error if you do this: ,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#' At 01:59 PM 4/12/2002 -0400, you wrote: This is the offending line: ,SIZE = '#FORM.EDITTABLE.SIZE[i]#' and the cfoutput of that line: ,SIZE = 'Teacher's Solo' Here is the error: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive' where id = 1'. If I remove the line where Teacher's Solo occurs then it works great. - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What error are you getting? What database are you using? Have you tried outputting the data after you submit it to see what you are getting? At 01:38 PM 4/12/2002 -0400, you wrote: From the CF4.5 Language Reference - PreserveSingleQuotes - Prevents ColdFusion from automatically escaping single quotes contained in variable. What is going on is I have a CFGRID that I have to manually update because it throws an error if I use CFGRIDUPDATE. My own code which does the update and insert works perfect except when it encounters the string Teacher's. For some reason that I don't know, the single quote does not get escaped when I pull it from the variable FORM.EDITTABLE.SIZE[i]. I can't figure out what to do. I want the single quote to be escaped so that it will insert into the database without error. I've already tried the function #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work for me. Anybody got any ideas what's going on? Thanks, - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:49 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM 4/12/2002 -0400, you wrote: Hi everybody, I'm having a problem with an update to a table - the problem is when I want to update or insert the string Teacher's Group. CF throws an error at me when I try this. I know that CF usually escapes the single quote, but it's not in this case. I know I saw a post with on this list or CFDJList about there being a bug with escaping single quotes in CF4.5. Anybody know how can I make CF escape the single quote for insertion into my table? Thanks Matt Small
RE: RE: Deadlock
I have fought these particular beasts before... Uggh! Contrary to popular opinion, I would guess this is a coding problem and that you are using a CFTRANSACTION that calls upon multiple tables? What is happening is two different transactions are locking tables and getting stuck waiting for the other transaction to release the one's its got locked up. A diagram to illustrate the point: TRANS_1: - SELECT FROM tbl_a - SELECT FROM tbl_b TRANS_2: - SELECT FROM tbl_b - SELECT FROM tbl_a When two users fire the transactions at the same time, the result is the error you are experiencing. This is just a guess, tho... the solution is to take a closer look at those transactions. M -Original Message- From: Craig Thomas [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 2:21 PM To: CF-Talk Subject: RE: RE: Deadlock are you using cftransaction tags? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:50 PM To: CF-Talk Subject: Re: RE: Deadlock This is not a CF error. This is a SQL Server error. What are you doing in your SQL that would cause such deadlocks? - Original Message - From: Semrau, Steven L Mr RDAISA/SRA [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:39 am Subject: RE: Deadlock Read up on CFLOCK it talks about Deadlocks and the possible reasons why. -Original Message- From: Justin Waldrip [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:10 PM To: CF-Talk Subject: Deadlock Your transaction (process ID #39) was deadlocked with another process and has been chosen as the deadlock victim. Rerun your transaction. I am receiving quite a few of these errors in a row. Where is a good place to start looking for things that might cause this? Thanks, Justin __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Quicky
Thanks all- I knew it was super easy- I had stuck in rtrim instead of right- my bleary eyes didn't catch it- -Original Message- From: Raymond Camden [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:30 PM To: CF-Talk Subject: RE: Quicky The other poster had it right, but just to be anal, bare in mind yo dont need either the quotes or pounds below. Simply use: right(field1,12) not #right(field1,12)# Yes, I'm being anal. ;) === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email: [EMAIL PROTECTED] Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:27 PM To: CF-Talk Subject: Re: Quicky cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
Rats.. that won't work.. so much for code humor. Good Fortune, Richard Walters, Webmaster, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x 3525 [EMAIL PROTECTED] 04/12/02 03:53PM cfset theVariable = #evaluate(chr(39) Smith's shorts chr(39))# cfquery name=queryit datasource=#dsn# update items set itemname = #preservesinglequotes(htmleditformat(theVariable))# /cfquery How's that for an explanation? It must be Friday! Good Fortune, Richard Walters, Webmaster, Davita Laboratory Services [EMAIL PROTECTED] (800) 604-5227 x 3525 [EMAIL PROTECTED] 04/12/02 03:36PM Well, that isn't a database error, at least. It seems to be spitting up on the '[' character. It is a fairly complicated variable structure (Is it structures of structures or just variable names with dots in them? ) Maybe you need to play around with pound signs? '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[#i#])#' I'm stuck and without database / code to attempt to debug against, I don't think there is much other help I could offer. Did you try HTMLEditFormat as someone else had suggested? At 03:27 PM 4/12/2002 -0400, you wrote: Well, Jeffrey, I hadn't actually tried the function so I figured I might as well give it a shot. It didn't work. Just in time compilation error Invalid parser construct found on line 48 at position 55. ColdFusion was looking at the following text: [ Invalid expression format. The usual cause is an error in the expression structure. This is line 48 ,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#' Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 2:54 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What is the full query? I really think that Preserve Single Quotes is supposed to handle this. I know you said that it wasn't working, but do you get the same error if you do this: ,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#' At 01:59 PM 4/12/2002 -0400, you wrote: This is the offending line: ,SIZE = '#FORM.EDITTABLE.SIZE[i]#' and the cfoutput of that line: ,SIZE = 'Teacher's Solo' Here is the error: ODBC Error Code = 37000 (Syntax error or access violation) [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive' where id = 1'. If I remove the line where Teacher's Solo occurs then it works great. - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:37 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes What error are you getting? What database are you using? Have you tried outputting the data after you submit it to see what you are getting? At 01:38 PM 4/12/2002 -0400, you wrote: From the CF4.5 Language Reference - PreserveSingleQuotes - Prevents ColdFusion from automatically escaping single quotes contained in variable. What is going on is I have a CFGRID that I have to manually update because it throws an error if I use CFGRIDUPDATE. My own code which does the update and insert works perfect except when it encounters the string Teacher's. For some reason that I don't know, the single quote does not get escaped when I pull it from the variable FORM.EDITTABLE.SIZE[i]. I can't figure out what to do. I want the single quote to be escaped so that it will insert into the database without error. I've already tried the function #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work for me. Anybody got any ideas what's going on? Thanks, - Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 12:49 PM To: CF-Talk Subject: RE: Crosspost: Escaping single quotes I am either confused about the functionality you want, or the functionality PreserveSingleQuotes provides. PreserveSingleQuotes preserves single quotes for database inserts by automatically escaping them. It needs a variable as the value, not a string. I'm assuming you already have Teacher's Group in a variable? cfoutput cfset temp = Teacher's Group #PreserveSingleQuotes(temp)# /cfoutput You could probably try to do something more using replace: #Replace(Teacher's Group, ', '', all)# will return: Teacher''s Group At 11:55 AM 4/12/2002 -0400, you wrote: No, that preserves single quotes. I want to escape single quotes. Thanks, Matt Small -Original Message- From: Jeffry Houser [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 11:32 AM To: CF-Talk Subject: Re: Crosspost: Escaping single quotes Isn't there a function (PreserveSingleQuotes) that does this? At 11:38 AM
RE: Quicky
I think there are the seeds to a book in there somewhere: Cold Fusion for Anal people? Perhaps a full line of for anal people books - why not, people admit they are dummies and idiots at Borders every day g. -Original Message- From: Douglas Brown [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 2:40 PM To: CF-Talk Subject: Re: Quicky Anal is good!!! Just think what our code would look like if we were not full of analisms Success is a journey, not a destination!! Doug Brown - Original Message - From: Raymond Camden [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 12:30 PM Subject: RE: Quicky The other poster had it right, but just to be anal, bare in mind yo dont need either the quotes or pounds below. Simply use: right(field1,12) not #right(field1,12)# Yes, I'm being anal. ;) === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email: [EMAIL PROTECTED] Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:27 PM To: CF-Talk Subject: Re: Quicky cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Crosspost: Escaping single quotes
At 04:08 PM 4/12/2002 -0400, you wrote: Well, actually, I'm okay because I just decided to kill that line of code altogether. I just realized that it's not essential to have that field editable and so everything works without it. ;) I'm sorry that I got you thinking so hard about it. I still don't know what the right thing to do is but I won't worry about it anymore. Nothing wrong with a little intellectual stimulation between betas. -- Jeffry Houser | mailto:[EMAIL PROTECTED] Need a Web Developer? Contact me! AIM: Reboog711 | Fax / Phone: 860-223-7946 -- My Books: http://www.instantcoldfusion.com My Band: http://www.farcryfly.com __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
DSN-Less DB Connection
Does anyone know the syntax to connect to an Access DB without a DSN? Also, are there any pros/cons to using DSN-Less connections. I have done it in ASP without any noticable performance issues, but I am not sure about how ColdFusion deals with it. Many Thanks, Tony Anthony DeStefano Programmer/Analyst Telect, Inc. (509) 893-4375 [EMAIL PROTECTED] __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: RE: RE: RE: Preventing SQL injection attacks...?
I myself use SP's whenever possible (there are times when this isn't possible). However, it's beneficial to correctly outline what cfqueryparam does, for those people on the list that should be using cfqueryparam. - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 2:03 pm Subject: RE: RE: RE: Preventing SQL injection attacks...? i will have to take your word for it since i have probably never use cfquery param, nor intend to. i personally always use stored procedures and i do all of my validation myself. if cfqueryparam works for you, then use it and god bless. i have been taught differently and personally i don't think i would trust it. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:24 PM To: CF-Talk Subject: Re: RE: RE: Preventing SQL injection attacks...? No, it won't. It'll produce the SQL equivalent of: select * from mytable where username = 'tony ''drop table tablename --' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:46 am Subject: RE: RE: Preventing SQL injection attacks...? still. if i had the value tony ' drop table tablename-- and a cfqueryparam with a type of CF_SQL_VARCHAR it would still pass in the value as such select * from mytable where username = 'tony ' drop table tablename--' which would cause the table to be dropped. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:45 PM To: CF-Talk Subject: Re: RE: Preventing SQL injection attacks...? cfqueryparam does in fact prevent that code from running. cfqueryparam creates a prepared statement with parameters. It then compares what you've entered as a value with the datatype you've specified and, if successful, binds the parameters with what you've entered. So, if you entered: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_DECIMAL and then in your url entered: id=12;drop table yourtable It would through you an error. As well, if you had: select * from table where id = cfqueryparam value=#url.id# cfsqltype=CF_SQL_VARCHAR It would create the equivalent SQL statement of: select * from table where id = '12;drop table yourtable' - Original Message - From: [EMAIL PROTECTED] Date: Friday, April 12, 2002 11:00 am Subject: RE: Preventing SQL injection attacks...? let's say you have a text field that is 100 characters long. you can still get a drop table tablename appended to the sql statement or write an entire sql statment. Cfqueryparam was meant to speed up cfquery, not be to a cure all. Anthony Petruzzi Webmaster 954-321-4703 [EMAIL PROTECTED] http://www.sheriff.org -Original Message- From: Zac Spitzer [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 1:06 PM To: CF-Talk Subject: Re: Preventing SQL injection attacks...? [EMAIL PROTECTED] wrote: you can't forget that form fields also play a part in this. after readingthe informaiton provided in jeff's link, it did shine a light. although i have been taught from the beginning to always use val() around numbericvalues (thank Adam) and to use regex to validate text input (props Raymond). if your anal and take the time to make sure that the information that people are passing you is in the extact fomrat you want, you shouldn't have a problem. also, don't rely on javascript, i always do server- side validationeven after client side, just to make certain. i even go as far as putting as much validation as i can into my stored procedures and triggers. althoughSQL server doesn't support regular expressions , which sucks! anyone know a way it could? why not just use cfqueryparam, it validates and it makes your sql code run faster??? __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: DSN-Less DB Connection
First, you will want to create a connection string like so: cfset DBPATH=ExpandPath(../../Database) cfset DBFile=Baby.mdb cfset Driver={Microsoft Access Driver (*.mdb)} cfset ConStr=DRIVER=#Driver#;DBQ=#DBFile#;DefaultDir=#DBPATH#;UID=Admin;PWD=; You then want to set up your CFQUERY like so: cfquery dbtype=dynamic connectstring=#ConStr# name=qAuthenticate Query goes here /cfquery -- Original Message -- From: Anthony DeStefano [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 12 Apr 2002 13:17:51 -0700 Does anyone know the syntax to connect to an Access DB without a DSN? Also, are there any pros/cons to using DSN-Less connections. I have done it in ASP without any noticable performance issues, but I am not sure about how ColdFusion deals with it. Many Thanks, Tony Anthony DeStefano Programmer/Analyst Telect, Inc. (509) 893-4375 [EMAIL PROTECTED] __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Quicky
Sounds like a good idea. I'll take care of the Evaluate chapter. ;) Of course, at the same time, I can't stand people who change code from cfif x is y to compare because supposedly compare is .001 ms faster. ;) === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email: [EMAIL PROTECTED] Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 4:05 PM To: CF-Talk Subject: RE: Quicky I think there are the seeds to a book in there somewhere: Cold Fusion for Anal people? Perhaps a full line of for anal people books - why not, people admit they are dummies and idiots at Borders every day g. __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: DSN-Less DB Connection
I found that a good way to cheat when building the connection string is to set up a file datasource (using the ODBC Control Panel applet) then concatenate each line with a semi-colon delimiter (of course, you'll need to change any lines to match the server environment where the data is stored) --- Billy Cravens -Original Message- From: Bruce Sorge [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:34 PM To: CF-Talk Subject: Re: DSN-Less DB Connection First, you will want to create a connection string like so: cfset DBPATH=ExpandPath(../../Database) cfset DBFile=Baby.mdb cfset Driver={Microsoft Access Driver (*.mdb)} cfset ConStr=DRIVER=#Driver#;DBQ=#DBFile#;DefaultDir=#DBPATH#;UID=Admin;PWD=; You then want to set up your CFQUERY like so: cfquery dbtype=dynamic connectstring=#ConStr# name=qAuthenticate Query goes here /cfquery -- Original Message -- From: Anthony DeStefano [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 12 Apr 2002 13:17:51 -0700 Does anyone know the syntax to connect to an Access DB without a DSN? Also, are there any pros/cons to using DSN-Less connections. I have done it in ASP without any noticable performance issues, but I am not sure about how ColdFusion deals with it. Many Thanks, Tony Anthony DeStefano Programmer/Analyst Telect, Inc. (509) 893-4375 [EMAIL PROTECTED] __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: DSN-Less DB Connection
Just to clarify, you set up the file DSN locally - then modify the string you build to match the file path on your production environment (using functions like #expandPath()# to reduce hard-coding of course) --- Billy Cravens -Original Message- From: Cravens, Billy Sent: Friday, April 12, 2002 3:31 PM To: CF-Talk Subject: RE: DSN-Less DB Connection I found that a good way to cheat when building the connection string is to set up a file datasource (using the ODBC Control Panel applet) then concatenate each line with a semi-colon delimiter (of course, you'll need to change any lines to match the server environment where the data is stored) --- Billy Cravens -Original Message- From: Bruce Sorge [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:34 PM To: CF-Talk Subject: Re: DSN-Less DB Connection First, you will want to create a connection string like so: cfset DBPATH=ExpandPath(../../Database) cfset DBFile=Baby.mdb cfset Driver={Microsoft Access Driver (*.mdb)} cfset ConStr=DRIVER=#Driver#;DBQ=#DBFile#;DefaultDir=#DBPATH#;UID=Admin;PWD=; You then want to set up your CFQUERY like so: cfquery dbtype=dynamic connectstring=#ConStr# name=qAuthenticate Query goes here /cfquery -- Original Message -- From: Anthony DeStefano [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Fri, 12 Apr 2002 13:17:51 -0700 Does anyone know the syntax to connect to an Access DB without a DSN? Also, are there any pros/cons to using DSN-Less connections. I have done it in ASP without any noticable performance issues, but I am not sure about how ColdFusion deals with it. Many Thanks, Tony Anthony DeStefano Programmer/Analyst Telect, Inc. (509) 893-4375 [EMAIL PROTECTED] __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Quicky
Hmmh anal and bare (as in naked) mind. What kind of list is this anyway? ;) - Original Message - From: Raymond Camden [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 1:30 PM Subject: RE: Quicky The other poster had it right, but just to be anal, bare in mind yo dont need either the quotes or pounds below. Simply use: right(field1,12) not #right(field1,12)# Yes, I'm being anal. ;) === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email: [EMAIL PROTECTED] Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:27 PM To: CF-Talk Subject: Re: Quicky cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Help needed - More client variable weirdness
Looking for ideas here, cuz I'm fresh out. Using a SQL Server 2000 database to store the client variables. On my computer, I can log into our web app, and see NEW record/CFID for me. When I log out - which is meant to clear/remove the client variables, my record is deleted - as it should be. On a different workstation, as a different user we see different behaviour (only this one workstation). When logging out, the client variables are zeroed/set to defaults - whereas the record should be deleted. When the user logs in again, they get the same CFID/CFToken, and this record is reused. In Application.CFM, I convert the CFID and CFToken cookies to be memory based cookies. So, if all browsers are closed, and the user then opens a new browser and tries to login, they should get a different CFID/CFToken. The workstation in question has IE 5.5, with the latest security patchs. We have tried deleting the cookie for our domain as well, with the same results. This is getting annoying because the developer will do work, get something functional on his box, and mark it as done. Yet when another of us tries to use the code, it fails - and we've tracked it down to a client variable issue. Any suggestions? Thanks in advance. Shawn Grover __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Quicky
It's one that degrades as the week goes by, I think... And it IS Friday! -Original Message- From: Don Vawter [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 2:02 PM To: CF-Talk Subject: Re: Quicky Hmmh anal and bare (as in naked) mind. What kind of list is this anyway? ;) - Original Message - From: Raymond Camden [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, April 12, 2002 1:30 PM Subject: RE: Quicky The other poster had it right, but just to be anal, bare in mind yo dont need either the quotes or pounds below. Simply use: right(field1,12) not #right(field1,12)# Yes, I'm being anal. ;) === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email: [EMAIL PROTECTED] Yahoo IM : morpheus My ally is the Force, and a powerful ally it is. - Yoda -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, April 12, 2002 3:27 PM To: CF-Talk Subject: Re: Quicky cfset variable = #Right(field1, 12)# That will get the rightmost characters (9 of them) from your field. Paul Giesenhagen QuillDesign http://www.quilldesign.com SiteDirector v2.0 - Commerce Builder I know the answer is easy, but it's late on Friday and it's been a long week... Ok I need to set a variable with CFSET- (not in a query) to be the last 12 characters of another field. ie: I want FIELD1: 12345678901234567890 to be set as: FIELD2: 901234567890 Thanks in advance. j __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists