RE: CF Web Hosting

[Jason Egan]

Way to go Jason == making us look bad... ;-)

Jason
CFDynamics.com

-Original Message-
From: Dowdell, Jason G [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 08, 2002 11:50 AM
To: CF-Talk
Subject: RE: CF Web Hosting


Must've been one of my infinite loops :0)
~jason

-Original Message-
From: phumes1 [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 08, 2002 1:14 PM
To: CF-Talk
Subject: RE: CF Web Hosting


Yea...I just tried it and got on. Server must have went down. :-)


At 12:58 PM 4/8/2002 -0400, you wrote:
http://www.cfdynamics.com/  loads right away for me.

Ken



-Original Message-
From: phumes1 [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 08, 2002 12:47 PM
To: CF-Talk
Subject: RE: CF Web Hosting


I just tried http://www.cfdynamics.com and http://cfdynamics.com I can't
find the server. This is not a good start. :-)





__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Custom Tag Question

[Pascal Peters]

This works, but why not use Dave's approach and pass the query as a pointer. It will 
make more readable code.
Also, you don't need to pass the recordcount into the CT. The info is available there.

Calling the tag with this:
cf_theS Rows=3 
Query=#GetProductList#



!--- begin custom tag---
cfset numberOfRows = ceiling(attributes.Query.RecordCount/attributes.Rows)
cfset NumOfCol = attributes.Rows
cfset BeginRow = 1

table width=100 cellpadding=5
cfloop index=i from=1 to=#numberOfRows#
tr
 cfoutput query=ATTRIBUTES.Query 
StartRow=#variables.BeginRow# Maxrows=#variables.NumOfCol#
 td
 img src=../catImages/#ThumbNail# border=0 alt=#ID#
 /td
 /cfoutput
cfset BeginRow = BeginRow + NumOfCol
/tr
/cfloop
/table
-Original Message-
From: Chad Gray [mailto:[EMAIL PROTECTED]]
Sent: donderdag 11 april 2002 22:45
To: CF-Talk
Subject: RE: Custom Tag Question


Ok... i did quite follow what you guys were saying, but thanks for 
trying.  I did get it to work like this.  Let me know if im an idiot and if 
this is total kludge.

I put Caller.#ATTRIBUTES.Query# into the Query= on my CFoutput.


Calling the tag with this:
cf_theS QueryCount=#GetProductlist.recordcount# Rows=3 
Query=GetProductList



!--- begin custom tag---
cfset numberOfRows = ceiling(attributes.QueryCount/attributes.Rows)
cfset NumOfCol = attributes.Rows
cfset BeginRow = 1

table width=100 cellpadding=5
cfloop index=i from=1 to=#numberOfRows#
tr
 cfoutput query=Caller.#ATTRIBUTES.Query# 
StartRow=#variables.BeginRow# Maxrows=#variables.NumOfCol#
 td
 img src=../catImages/#ThumbNail# border=0 alt=#ID#
 /td
 /cfoutput
cfset BeginRow = BeginRow + NumOfCol
/tr
/cfloop
/table

__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: CFINCLUDE tag and relative paths

[Pascal Peters]

Easiest solution is to use CF mappings instead of relative paths.

-Original Message-
From: heirophant mm [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 12 april 2002 4:11
To: CF-Talk
Subject: CFINCLUDE tag and relative paths


I have a display template, called as a custom tag through CFMODULE. The caller tags 
pass it an attribute called navigation, which is the path of a navigation template 
to display. The custom tag displays it using cfdisplay 
template=#attributes.navigation#.

I want the caller to be able to pass a path relative from itself (for ease of use) - 
so the value you pass for the navigation attribute would be the same as the value 
that a CFINCLUDE right inside the caller template would use.

However, since the display template is in a different folder, just doing cfinclude 
template=#attributes.navigation# does not work, since it expects the path to be 
relative from the current template, NOT the caller template.

I wrote some UDFs that convert the value of attributes.navation so the path is instead 
relative to the display template, allowing the CFINCLUDE tag to work correctly. This 
solution is not very elegant, though. Nor is it efficient.

Am I missing an easier way to do this? To summarize, I want a CFINCLUDE tag to 
correctly find a path that is relative to the caller template, instead of the current 
[custom tag] template.

Note: For reasons unknown to me, we aren't allowed to use the Custom Tags folder on 
our server. So this display template I'm talking about is actually below the wwwroot 
folder. I don't know if that makes any difference in my problem.

This brings me to my second question: Do custom tags actually in the Custom Tags 
folder behave differently concerning tags such as CFINCLUDE? In this case, would the 
CFINCLUDE tag look for a template relative to the caller template instead?

---

Mike Mertsock
Web Applications Programmer
Alfred University
[EMAIL PROTECTED]


See Dave Matthews Band live or win a signed guitar
http://r.lycos.com/r/bmgfly_mail_dmb/http://win.ipromotions.com/lycos_020201/splash.asp
 
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists


__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Deleting dynamic structure keys

[Kay Smoljak]

In my continuing structure saga...

I need to delete a structure key, which is itself a stucture. Like this:

cfloop collection=#payment# item=b
cfif payment[b].amount EQ 0
cfset freebies[b] = StructCopy(payment[b])
cfset success = StructDelete(payment,payment[b])
/cfif
/cfloop

That doesn't work, because the second parameter of StructDelete has to
be a simple value. Problem is, I don't know the key's name.
StructClear(payment[b]) clears the structure, but doesn't remove the key
itself.

Am I missing something?
Kay.
__ 
Kay Smoljak - ColdFusion Developer - PerthWeb Pty Ltd 
  
Level 9/105 St George's Terrace - Perth - Western Australia 
Ph: (08) 9226 1366 Fax: (08) 9226 1375 www.perthweb.com.au

http://developer.perthweb.com.au - Tools for Developers
cfx_pwcamtech | cfx_pwimageproc | cfx_pwcardcyrpt


 
 

__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Deleting dynamic structure keys

[Pascal Peters]

StructDelete(payment,b)

-Original Message-
From: Kay Smoljak [mailto:[EMAIL PROTECTED]]
Sent: vrijdag 12 april 2002 11:14
To: CF-Talk
Subject: Deleting dynamic structure keys


In my continuing structure saga...

I need to delete a structure key, which is itself a stucture. Like this:

cfloop collection=#payment# item=b
cfif payment[b].amount EQ 0
cfset freebies[b] = StructCopy(payment[b])
cfset success = StructDelete(payment,payment[b])
/cfif
/cfloop

That doesn't work, because the second parameter of StructDelete has to
be a simple value. Problem is, I don't know the key's name.
StructClear(payment[b]) clears the structure, but doesn't remove the key
itself.

Am I missing something?
Kay.
__ 
Kay Smoljak - ColdFusion Developer - PerthWeb Pty Ltd 
  
Level 9/105 St George's Terrace - Perth - Western Australia 
Ph: (08) 9226 1366 Fax: (08) 9226 1375 www.perthweb.com.au

http://developer.perthweb.com.au - Tools for Developers
cfx_pwcamtech | cfx_pwimageproc | cfx_pwcardcyrpt


 
 


__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Deleting dynamic structure keys

[Neil Clark - =TMM=]

Its not embarassing kay...everyone has an off day! 

__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Prevent JavaScript timer from re-initialising on refresh

[Vishal Narayan]

We have created an online assessment on our site, in some ways similar to 
the BrainBench online tests. It is a dynamic page and it submits back to 
itself. We use a JavaScript function to work as a timer - the countdown is 
shown in the bottom status bar.
window.status=Time left =  + counter  +  seconds;

The problem is that if somebody refreshes the page while taking the test, 
the timer is reset back to the initial value. It is thus possible for a 
person to take much longer than the stipulated time to complete the 
assessment.

Can anyone suggest a solution around this ?

Thanks,

Vishal.

__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

capture close browser event

[Mak Wing Lok]

is there a way where we can capture the event when a user close a browser?
or when the user close a browser the CF application will execute a cf page?
for example logout.cfm?
i try using the code below :

SCRIPT FOR=WINDOW EVENT=ONBEFOREUNLOAD LANGUAGE=JAVASCRIPT
window.open('logout.cfm','logout_href')
/CFSCRIPT

but eventually the code above will be executed whenever a page is refresh or
changed, i'm following the tutorial from cfvault.com but it does not really
work the way i want, yes, i managed to logout the user when the browser is
closed but i logout the user too whenever a page is changed.

any help?


--- 
Pharmaniaga Berhad, your integrated healthcare provider
www.pharmaniaga.com.my 
www.ehealth4all.com, your most convenient way to healthcare, everyday... 
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential or privileged material.
If you received this in error, please contact the sender and delete the
material from any computer. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is prohibited. 
---
__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Recordset to structure?

[Justin Scott]

 The two options I can see are looping over each record and copying it to
 a struct, or using Query functions to manipulate the recordset itself. I
 haven't worked with the query functions very much - are there any
 limitations to either of these approaches? How about performance?

If you already have the data in a query type variable, I would just leave it
there and manipulate it directly if possible.  Using the query functions is
not that hard to learn, though adding a row can be cumbersome.  If you're
using CF5 you can also use QofQ to easily extract data from your modified
query data.

-Justin Scott, Lead Developer
 Sceiron Internet Services, Inc.
 http://www.sceiron.com


__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: capture close browser event

[Tim Painter]

You can use the OnUnload event in the body tag to run something.

body OnUnload = window.open('logout.cfm','logout_href');

- Original Message -
From: Mak Wing Lok [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 7:21 AM
Subject: capture close browser event


 is there a way where we can capture the event when a user close a browser?
 or when the user close a browser the CF application will execute a cf
page?
 for example logout.cfm?
 i try using the code below :

 SCRIPT FOR=WINDOW EVENT=ONBEFOREUNLOAD LANGUAGE=JAVASCRIPT
 window.open('logout.cfm','logout_href')
 /CFSCRIPT

 but eventually the code above will be executed whenever a page is refresh
or
 changed, i'm following the tutorial from cfvault.com but it does not
really
 work the way i want, yes, i managed to logout the user when the browser is
 closed but i logout the user too whenever a page is changed.

 any help?


 --
-
 Pharmaniaga Berhad, your integrated healthcare provider
 www.pharmaniaga.com.my
 www.ehealth4all.com, your most convenient way to healthcare, everyday...
 The information transmitted is intended only for the person or entity to
 which it is addressed and may contain confidential or privileged material.
 If you received this in error, please contact the sender and delete the
 material from any computer. Any review, retransmission, dissemination or
 other use of, or taking of any action in reliance upon, this information
by
 persons or entities other than the intended recipient is prohibited.
 --
-
 
__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

cfset a.b = c -- COM error 0x80070005. Access is denied.

[James Ang]

Here's what I was trying to do based on an ASP VBScript example.

ASP VBScript:
SET a.b = c

CFML:
cfset a.b = c

a is a COM object.
b is a property of a that returns an object (i.e. not a simple value).
c is an instantiated object of the same type as b.

When a is instantiated, the property b is set to Nothing (i.e. void).

Both the instantiation of a and c were done via CFOBJECT tag (as opposed to the 
CreateObject() function which I have close to zero faith in from my experience in CF 
4.5.x).

I get the following error in CFML:
COM error 0x80070005. Access is denied.

The code worked fine in ASP VBScript.

CFAS is 5.0 Enterprise (eval/single-user) running on Windows 2000 Server.

So, what gives? :)

Preliminary/Cursory search of cfcomet did not yield anything useful.

Hope to hear something from you gurus here. :)

James Ang
[EMAIL PROTECTED]




__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: cfset a.b = c -- COM error 0x80070005. Access is denied.

[Howie Hamlin]

This is from www.cfcomet.com:

http://www.cfcomet.com/cfcomet/Other/index.cfm?ArticleID=32381637-0922-41CA-BBE305C2D66A7025#22

22. COM error 0x5. Access is denied.

Although this isn't a COM error per se, it is seen largely when using COM objects 
by client
services (i.e., ColdFusion) that do not have sufficient access to an object. By 
default, ColdFusion
is given access to the local system account, which on NT and 2000 will not allow 
you to run many
objects, such as the ones provided by MS Office.

To fix this problem, one way is to assign ColdFusion services administrative 
access. Go to your
Services control panel in NT or 2000 (you shouldn't get 'Access Denied' on 95 or 
98). Next,
you have to alter the 3 services' logon properties in the services control panel. 
To do this,
on each ColdFusion service (ColdFusion Application Server, ColdFusion Executive, 
and ColdFusion
RDS), right-click, choose Properties, and then you'll see a tab at the top 
labeled Log On.
Click it, and you will then see This Account, which is a radio button. Click the 
This Account
button then click Browse to choose who to logon as, at which point you need to 
choose
Administrator.

On Windows NT, in the Services applet under the Control Panel, select the service 
and click on the
Startup button (or double-click on the service). In the Log On As: groupbox, 
select the This
Account: radio button, enter the account name (you can use the ... button to 
browse the account
list), and enter the password twice. A good thing to remember is that if the 
password to the account
is ever changed, all services using that account as the logon must be updated or 
they will
mysteriously fail at the next logon/reboot.



- Original Message -
From: James Ang [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 7:33 AM
Subject: cfset a.b = c -- COM error 0x80070005. Access is denied.


 Here's what I was trying to do based on an ASP VBScript example.

 ASP VBScript:
 SET a.b = c

 CFML:
 cfset a.b = c

 a is a COM object.
 b is a property of a that returns an object (i.e. not a simple value).
 c is an instantiated object of the same type as b.

 When a is instantiated, the property b is set to Nothing (i.e. void).

 Both the instantiation of a and c were done via CFOBJECT tag (as opposed to the 
CreateObject() function which I have close to zero
faith in from my experience in CF 4.5.x).

 I get the following error in CFML:
 COM error 0x80070005. Access is denied.

 The code worked fine in ASP VBScript.

 CFAS is 5.0 Enterprise (eval/single-user) running on Windows 2000 Server.

 So, what gives? :)

 Preliminary/Cursory search of cfcomet did not yield anything useful.

 Hope to hear something from you gurus here. :)

 James Ang
 [EMAIL PROTECTED]




 
__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Clustered Client variable management

[Dowdell, Jason G]

I have a question regarding the application.cfm settings for client
variable management when clustering.

I'm working on an application that I need to maintain user state in.
I want to use cfcookie to set a cookie on the user's machine that
stores a unique key to identify this user by when his browser is
open.  But I want this model to work in a clustered environment
as well as a shared hosting environment.  I'm not worried about
the extra overhead required to use cookies versus session vars.
I just want to know exactly what my cfapplication tag needs to
look like.

e.g.

cfapplication name=Intranet Module 
clientmanagement=Yes 
setclientcookies=Yes
ClientStorage=Cookie

Would this application setting work both on a single server as well
as a clustered application?  The user will not be tied to a specific
machine when we cluster and all permissions for the user will be
obtained from the application specific database.

Any help would be much appreciated.  Especially if you are currently
running a clustered application or have experience with clustering
servers and maintaining state.

Best Regards,
Jason Dowdell
!---
 Jason Dowdell
 [EMAIL PROTECTED]
 321.799.6845
 IM AES - Web Application Developer
 ---

__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

??

[Brad T Comer- Ameritech]

Can anyone assist, I have a headache from this puppy!

Prorating a purchase:
X=Cost 2500 for a year OR 2500/12 *
DifferenceInMonthsFromEXPMonthandCurrentMonth
Exp date is 08/31/02

If i make a purchase today I should be charged the difference in months
times {X}

Thanks
BtC

__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Hopefully only a sintaxis problem.

[Mario Martinez R.]

 Hi All:
My problem probably is silly but is a pain in a knee
for me.
I have a cvs file from I need to pull some data in a
QUERY.
My cvs file have some name fields that end in the
caracter ?.CF report me an error when I try to pull
one this field in my query.
Down here and example and what I see in the browser.
Any ideas to overcome  this pain??.
Thanks in advance for any help
Mario

//CF code
cfquery name=InstrLedAttQuery
datasource=EkOutsideFilescvs dbtype=ODBC
  
 SELECT  xx?   FROM InstrLedAtt#Item#.txt
/cfquery


//Error I see in the browser
Error Occurred While Processing Request
Error Diagnostic Information
ODBC Error Code = 07001 (Wrong number of parameters)


[Microsoft][ODBC Text Driver] Too few parameters.
Expected 1.

Hint: The cause of this error is usually that your
query contains a reference to a field which does not
exist. You should verify that the fields included in
your query exist and that you have specified their
names correctly.


The error occurred while processing an element with a
general identifier of (CFQUERY), occupying document
position (201:1) to (201:78).


Date/Time: 03/13/02 18:00:19
Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)
Remote Address: 66.109.35.50
 








_
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com
__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: ?? prorating a purchase?

[Eric Dawson]

Not sure I understand.
I am presuming someone is buying something and paying a monthly fee.

as they go through time they can continue to pay monthly - or pay for the 
remaining amount owing?

When prorating by months in a period I usually calculate the difference in 
months by:
EXPYear*12 + EXPMonth - CurYear*12 - CurMonth

From: Brad T Comer- Ameritech [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Subject: ??
Date: Fri, 12 Apr 2002 07:54:46 -0500

Can anyone assist, I have a headache from this puppy!

Prorating a purchase:
X=Cost 2500 for a year OR 2500/12 *
DifferenceInMonthsFromEXPMonthandCurrentMonth
Exp date is 08/31/02

If i make a purchase today I should be charged the difference in months
times {X}

Thanks
BtC


__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Access table record limit?

[Jon Hall]

Does anyone know what a practical limit of records should be in an Access
table? The reason I ask is that I have a table for a feature I am
implementing that with some really broad estimates of mine could hit 20,000
records in a year of heavy usage (for this app, which really wouldn't be
heavy usage relatively speaking...). Any higher than that and I'd insist on
SQL Server for performance. This particular table has just 4 fields, and is
nicely indexable... I've seen some outrageous Access databases in my time
that worked, but I can't remember if I've seen 20k records in one table.

jon

__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: ??

[Dave Hannum]

Take a look at this and see if it makes sense.


CFSET CPY = 2500 !--- Cost Per year ---
CFSET CPM = CPY / 12 !--- Cost Per month ---

CFSET CycleStart = 03/01/2002 !--- Cycle Start Date ---
CFSET CycleMonth = '12' !--- No. of Months in your cycle ---
CFSET CycleEnd = DateFormat(DateAdd('m', CycleMonth, CycleStart),
mm/dd/) !--- Cycle End Date ---
CFSET today = DateFormat(NOW(), mm/dd/) !--- Sign up date ---
CFSET monthsLeft = DateDiff('m', today, CycleEnd) !--- Months to
pro-rate ---
CFSET Charges = monthsLeft * CPM !--- Pro-rated charge Calculated ---
!--- See the logic output ---
CFOUTPUT#CycleStart# - #CycleEnd# - #today# - #monthsLeft# -
#DollarFormat(Charges)#/CFOUTPUT

Dave


- Original Message -
From: Brad T Comer- Ameritech [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 8:54 AM
Subject: ??


Can anyone assist, I have a headache from this puppy!

Prorating a purchase:
X=Cost 2500 for a year OR 2500/12 *
DifferenceInMonthsFromEXPMonthandCurrentMonth
Exp date is 08/31/02

If i make a purchase today I should be charged the difference in months
times {X}

Thanks
BtC


__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Access table record limit?

[Howie Hamlin]

Access 2000:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/off2000/html/acrefDatabaseSpecificationsS.asp

Access 2002:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q302524

HTH,

Howie

- Original Message - 
From: Jon Hall [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 9:40 AM
Subject: Access table record limit?


 Does anyone know what a practical limit of records should be in an Access
 table? The reason I ask is that I have a table for a feature I am
 implementing that with some really broad estimates of mine could hit 20,000
 records in a year of heavy usage (for this app, which really wouldn't be
 heavy usage relatively speaking...). Any higher than that and I'd insist on
 SQL Server for performance. This particular table has just 4 fields, and is
 nicely indexable... I've seen some outrageous Access databases in my time
 that worked, but I can't remember if I've seen 20k records in one table.
 
 jon
 
 
__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Recordset to structure?

[Sharon Diorio]

It depends on what you want the structure to look like.  The query structure is 
ideally suited to manipulating the data as it's returned from the tables.  But 
structures can be any number of things.  I tend to use them to create hierarchies.  
Give us some more information about what you're trying to do, and we'll be able to 
help you.

Sharon
- Original Message - 
From: Kay Smoljak [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 2:13 AM
Subject: Recordset to structure?


 Hi all,
 
 I'm wondering what the simplest way would be to convert a query
 recordset to a structure. I know that a recordset *is* a structure, but
 I would like to copy it to the session scope and add, edit and remove
 keys as it goes through various scripts. I can't find anything on the
 developer's exchange.
 
 The two options I can see are looping over each record and copying it to
 a struct, or using Query functions to manipulate the recordset itself. I
 haven't worked with the query functions very much - are there any
 limitations to either of these approaches? How about performance?
 
 Any pointers would be greatly appreciated.
 
 Kay.
 __
 Kay Smoljak - ColdFusion Developer - PerthWeb Pty Ltd
 
 Level 9/105 St George's Terrace - Perth - Western Australia
 Ph: (08) 9226 1366 Fax: (08) 9226 1375 www.perthweb.com.au
 
 http://developer.perthweb.com.au - Tools for Developers
 cfx_pwcamtech | cfx_pwimageproc | cfx_pwcardcyrpt
 
 
 
 
 
 
__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Clustered Client variable management

[Craig Thomas]

..remember to set the 'setdomaincookies' attribute to true for
clustering(also don't you want to use a db for the client storage?)


cfapplication name=Intranet Module
clientmanagement=Yes
setclientcookies=Yes
ClientStorage=Cookie
setdomaincookies=yes

-craig

-Original Message-
From: Dowdell, Jason G [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 8:52 AM
To: CF-Talk
Subject: Clustered Client variable management


I have a question regarding the application.cfm settings for client
variable management when clustering.

I'm working on an application that I need to maintain user state in.
I want to use cfcookie to set a cookie on the user's machine that
stores a unique key to identify this user by when his browser is
open.  But I want this model to work in a clustered environment
as well as a shared hosting environment.  I'm not worried about
the extra overhead required to use cookies versus session vars.
I just want to know exactly what my cfapplication tag needs to
look like.

e.g.

cfapplication name=Intranet Module
clientmanagement=Yes
setclientcookies=Yes
ClientStorage=Cookie

Would this application setting work both on a single server as well
as a clustered application?  The user will not be tied to a specific
machine when we cluster and all permissions for the user will be
obtained from the application specific database.

Any help would be much appreciated.  Especially if you are currently
running a clustered application or have experience with clustering
servers and maintaining state.

Best Regards,
Jason Dowdell
!---
 Jason Dowdell
 [EMAIL PROTECTED]
 321.799.6845
 IM AES - Web Application Developer
 ---


__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: OT Help!

[Justin Scott]

 I have a domain name and I want to make sure it works with or with out a
 www. What do I do? Its Win2K and IIS5.

This will involve your DNS configuration as well as IIS, and possibly some
CF (so we can stay somewhat on topic, hehe).


In DNS:

Make sure the A record for the domain itself points to the same IP address
as the www host does..

IN A 1.2.3.4
www  IN A 1.2.3.4

If you're expecting to get e-mail on this domain and your mail server IP
address is not the same as the web server for this host, be sure you have MX
records setup correctly or your e-mail will not work.


In IIS:

If you have a dedicated IP address for your web site, configure the web to
use that IP and do NOT setup any host-headers.  If you do NOT have a
dedicated IP address, then you MUST setup the host headers for the
www.domain.com as well as just domain.com.


In CF:

If you like, you can put a check in your Application.cfm (or some other
global code that runs) to check the CGI.SERVER_NAME variable to make sure
the www is present (or not present, whichever you like) and redirect to
the proper host such as...

cfif comparenocase(cgi.server_name, www.domain.com)
  cflocation url=//www.domain.com#cgi.script_name#?#cgi.query_string#
/cfif


I THINK that covers everything..  if you have any other questions on that,
feel free to mail me off-list since it IS a bit off-topic.

-Justin Scott, Lead Developer
 Sceiron Internet Services, Inc.
 http://www.sceiron.com


__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Re[2]: OT Help!

[Paul Giesenhagen]

HOWDY Critz :)

I guess I assumed he had both the www and  the  host records set in his
DNS ... (Sorry Phil)...

Paul Giesenhagen
QuillDesign
http://www.quilldesign.com
SiteDirector v2.0 - Commerce Builder



 oi Paul!!

 doesn't that need to be setup wherever the DNS is done?


 --
 Critz
 Certified Adv. ColdFusion Developer

 Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion
 
 Friday, April 12, 2002, 10:57:37 AM, you wrote:

 PG Go into your IIS Manager, view the properties of that domain, and
under the
 PG general tab, under website identification, click on advanced, make
sure you
 PG have your ip pointing at both www.domain.com and domain.com

 PG Hopefully this helps, but it might depend on your setup!

 PG Paul Giesenhagen
 PG QuillDesign
 PG http://www.quilldesign.com
 PG SiteDirector v2.0 - Commerce Builder



  Ok I thought I had this understood but I guess I was wrong or I lost my
  mind since the last time I did it.
 
  I have a domain name and I want to make sure it works with or with out
a
  www. What do I do? Its Win2K and IIS5.
 
  Thanks
 
  Phillip Broussard
  Tracker Marine Group
  417-873-5957
 
 
 
 PG
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Re[2]: OT Help!

[Phillip Broussard]

Thanks every one! I thought I was going nuts with IIS. I will look into
the dns.

 -Original Message-
 From: Carlisle, Eric [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 10:12 AM
 To: CF-Talk
 Subject: RE: Re[2]: OT Help!
 
 oi, Critz is correctamundo!
 
 You need 2 DNS records pointing at the same IP address.  One record
points
 the top level domain, the other points the www hostname.
 
 
 -Original Message-
 From: Critz [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 11:03 AM
 To: CF-Talk
 Subject: Re[2]: OT Help!
 
 
 oi Paul!!
 
 doesn't that need to be setup wherever the DNS is done?
 
 
 --
 Critz
 Certified Adv. ColdFusion Developer
 
 Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion
 
 Friday, April 12, 2002, 10:57:37 AM, you wrote:
 
 PG Go into your IIS Manager, view the properties of that domain, and
 under
 the
 PG general tab, under website identification, click on advanced, make
 sure
 you
 PG have your ip pointing at both www.domain.com and domain.com
 
 PG Hopefully this helps, but it might depend on your setup!
 
 PG Paul Giesenhagen
 PG QuillDesign
 PG http://www.quilldesign.com
 PG SiteDirector v2.0 - Commerce Builder
 
 
 
  Ok I thought I had this understood but I guess I was wrong or I
lost my
  mind since the last time I did it.
 
  I have a domain name and I want to make sure it works with or with
out
 a
  www. What do I do? Its Win2K and IIS5.
 
  Thanks
 
  Phillip Broussard
  Tracker Marine Group
  417-873-5957
 
 
 
 PG
 
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Preventing SQL injection attacks...?

[Ian Lurie]

Hi all,

Had some interesting errors in our logs yesterday. It appears that someone's
trying to hack our database by inserting SQL query language into the URL
string.

We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like, and we locked out
their IP immediately. But really, how do you prevent this? Any
ideas/feedback out there?

Ian

Portent Interactive
Helping clients build customer relationships on the web since 1995
Consulting, design, development, measurement
http://www.portentinteractive.com

__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Kevin Schmidt]

Are you using cfqueryparam on all your values too?  This is just one
more layer to help out.

Kevin


-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 10:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?

Hi all,

Had some interesting errors in our logs yesterday. It appears that
someone's
trying to hack our database by inserting SQL query language into the URL
string.

We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like, and we locked out
their IP immediately. But really, how do you prevent this? Any
ideas/feedback out there?

Ian

Portent Interactive
Helping clients build customer relationships on the web since 1995
Consulting, design, development, measurement
http://www.portentinteractive.com


__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Clint Tredway]

If you are using 4.5 or above, you can use the cfqueryparam and that helps.

You can also do checks to see if your variables are integers or not(if that
is what you are passing), you can also compare vars to make sure what you
passed is whats there..

There are also many other things you can do..

HTH
Clint

-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?


Hi all,

Had some interesting errors in our logs yesterday. It appears that someone's
trying to hack our database by inserting SQL query language into the URL
string.

We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like, and we locked out
their IP immediately. But really, how do you prevent this? Any
ideas/feedback out there?

Ian

Portent Interactive
Helping clients build customer relationships on the web since 1995
Consulting, design, development, measurement
http://www.portentinteractive.com


__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Access table record limit?

[Shawn Grover]

I once worked with an Access DB that would hit 100K + records in one table
on a regular basis.  It performed fine.  However, it was a rather
speciallized app, and I think it was primarily doing inserts into the table.
But, I did need to reference the table to extract information through a
second application - never had any problems with the table.

HTH.

Shawn Grover

-Original Message-
From: Jon Hall [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 7:40 AM
To: CF-Talk
Subject: Access table record limit?


Does anyone know what a practical limit of records should be in an Access
table? The reason I ask is that I have a table for a feature I am
implementing that with some really broad estimates of mine could hit 20,000
records in a year of heavy usage (for this app, which really wouldn't be
heavy usage relatively speaking...). Any higher than that and I'd insist on
SQL Server for performance. This particular table has just 4 fields, and is
nicely indexable... I've seen some outrageous Access databases in my time
that worked, but I can't remember if I've seen 20k records in one table.

jon


__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Dave Watts]

 make sure you are at the latest MDAC and have all service 
 pack applied for SQL. I think that the latest MDAC prevents 
 attacks like this, but I could be wrong.

No, MDAC does nothing to prevent SQL injection attacks, which, after all,
use perfectly valid SQL statements.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444

__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Hopefully only a sintaxis problem.

[Mario Martinez R.]

Hi All:
My problem probably is silly but is a pain in a knee
for me.
I have a cvs file from I need to pull some data in a
QUERY.
My cvs file have some name fields that end in the
caracter ?.CF report me an error when I try to pull
one this field in my query.
Down here and example and what I see in the browser.
Any ideas to overcome  this pain??.
Thanks in advance for any help
Mario

//CF code
cfquery name=InstrLedAttQuery
datasource=EkOutsideFilescvs dbtype=ODBC
  
 SELECT  xx?   FROM InstrLedAtt#Item#.txt
/cfquery


//Error I see in the browser
Error Occurred While Processing Request
Error Diagnostic Information
ODBC Error Code = 07001 (Wrong number of parameters)


[Microsoft][ODBC Text Driver] Too few parameters.
Expected 1.

Hint: The cause of this error is usually that your
query contains a reference to a field which does not
exist. You should verify that the fields included in
your query exist and that you have specified their
names correctly.


The error occurred while processing an element with a
general identifier of (CFQUERY), occupying document
position (201:1) to (201:78).


Date/Time: 03/13/02 18:00:19
Browser: Mozilla/4.0 (compatible; MSIE 5.01; Windows
NT 5.0)
Remote Address: 66.109.35.50
 








_
 Do You Yahoo!?
 Información de Estados Unidos y América Latina, en
 Yahoo! Noticias.
 Visítanos en http://noticias.espanol.yahoo.com


__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Ian Lurie]

That's what I thought.

Man, you think you're an expert, and then some 13 year old somewhere makes
you feel like a punk again :)

Is there a good paper on Macromedia.com about this? I read some of the stuff
but nothing seemed really on-point...

-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 8:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


 make sure you are at the latest MDAC and have all service
 pack applied for SQL. I think that the latest MDAC prevents
 attacks like this, but I could be wrong.

No, MDAC does nothing to prevent SQL injection attacks, which, after all,
use perfectly valid SQL statements.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444


__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Coldfusion Cert?

[Yves Arsenault]

Thanks,

I'll certainly keep that in mind.

Yves

-Original Message-
From: Tim Painter [mailto:[EMAIL PROTECTED]]
Sent: April 12, 2002 12:19 PM
To: CF-Talk
Subject: Re: Coldfusion Cert?


If you take an exam more than 4 times in 90 days, it will show in the
transcript.  So you might want to think about it before taking the test..

http://www.brainbench.com/xml/bb/common/indfaqs.xml#bbtests_and_methodology_
attempts

Tim P.

- Original Message -
From: Declan Maher [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Thursday, April 11, 2002 8:41 AM
Subject: RE: Coldfusion Cert?


 You know that the Coldfusion 5 exam is free on brainbench.com.
 So you can take it anytime you like


 -Original Message-
 From: Yves Arsenault [mailto:[EMAIL PROTECTED]]
 Sent: 11 April 2002 13:11
 To: CF-Talk
 Subject: RE: Coldfusion Cert?


 Thanks,

 I don't have alot of experience yet, but I may write it soon to get an
 idea
 of what I should work on

 Yves

 -Original Message-
 From: Declan Maher [mailto:[EMAIL PROTECTED]]
 Sent: April 11, 2002 8:54 AM
 To: CF-Talk
 Subject: RE: Coldfusion Cert?


 Brainbench Certification(tm) Test Overview

 Your Brainbench Certification(tm) test includes the following test
 modules:


 ColdFusion 5

 For each Standard Skills Assessment, you will receive 40 questions.

 Each question is multiple choice with five choices.  You must select the
 one best answer from the 5 choices in order to score a correct answer.

 You will have 180 seconds to answer each question.   The time remaining
 for each question is displayed in the status bar at the bottom of your
 browser.  If the time remaining falls below 30 seconds, the system will
 alert you with a warning message.

 If time expires on any question, that question will

 -Original Message-
 From: Yves Arsenault [mailto:[EMAIL PROTECTED]]
 Sent: 11 April 2002 12:46
 To: CF-Talk
 Subject: RE: Coldfusion Cert?


 How many questions does the BrainBench exam have?

 I you don't mind me asking.

 Yves

 -Original Message-
 From: Declan Maher [mailto:[EMAIL PROTECTED]]
 Sent: April 11, 2002 6:04 AM
 To: CF-Talk
 Subject: RE: Coldfusion Cert?


 I took both. The differences are with the BB one you can keep your books
 and studio open if you want to and nobody knows so it may not be worth
 the paper its written on. If you do it genuinely then it is a difficult
 exam (CF4 version). You are asked unusual questions of stuff you may
 never have used. I certainly had never come across some of the stuff
 before.

 The official CF exam (CF5) is more straightforward. Hardly any
 ridiculous questions and a better reflection of whats important to
 know.I studied using:
 Ben Forta's Developer Study Guide which is essential and the  Coldfusion
 Web Application Construction Toolkit.
 CF_buster http://www.centrasoft.com/default.cfm
  -This is fairly comprehensive series of tests similar to the real test.

 There are some tests on http://www.cfcertification.com/ and also
 www.forta.com.
 Take as many tests as you can.
 After all this I had 1.5 years experience at the time of taking and got
 the Advanced Cert.


 Regards,
 Declan

 -Original Message-
 From: Scott Van Vliet [mailto:[EMAIL PROTECTED]]
 Sent: 11 April 2002 07:25
 To: CF-Talk
 Subject: RE: Coldfusion Cert?


 Has anyone taken both the MM CF Cert and the BB CF Cert?  If so, what
 are (if any) the differences?  TIA

 -Original Message-
 From: John Wilker [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, April 10, 2002 6:52 PM
 To: CF-Talk
 Subject: RE: Coldfusion Cert?

 If I recall the tests are still free but it's like 8 bucks to get the
 paper certificate mailed to you. I could be wrong I'm going off memory.
 Great site.

 J.

 John Wilker
 Web Applications Consultant, and Author
 Macromedia Certified ColdFusion Developer
 President/Founder, Inland Empire CFUG.
 www.red-omega.com

 more people are killed by donkeys than by airplane crashes each year


 -Original Message-
 From: Douglas Brown [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, April 10, 2002 6:38 PM
 To: CF-Talk
 Subject: Re: Coldfusion Cert?


 Yeah it is free right now, I just took it. Only scored a 3.0 I guess I
 need to study some more




 Success is a journey, not a destination!!



 Doug Brown
 - Original Message -
 From: Jeffry Houser [EMAIL PROTECTED]
 To: CF-Talk [EMAIL PROTECTED]
 Sent: Wednesday, April 10, 2002 5:30 PM
 Subject: RE: Coldfusion Cert?


Its not free anymore, although I do recommend taking a look at it
  nonetheless.  (Its cheaper, and won't hurt your resume).
I thought that the Brainbench test (last time I took it) was fairly
  heavy on Stored Procedures and Web protocols without enough emphasis
  on ColdFusion.
 
  At 03:31 PM 4/10/2002 -0700, you wrote:
  I would recommend taking a look at brainbench.com :)  They have a
  free CF5 cert test.  You can use it as a prep.
  
  http://www.brainbench.com
  
  David Schmidt
  
  
  
 

RE: Preventing SQL injection attacks...?

[Yager, Brian T Contractor/NCCIM]

Dave,

Could you show me an example of an SQL injection attack?  I want to test my app
to see what I need to do to protect against this.

Thanks,

Brian Yager
President - North AL Cold Fusion Users Group
Sr. Systems Analyst
NCCIM/CIC
[EMAIL PROTECTED]
(256) 842-8342


-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


 make sure you are at the latest MDAC and have all service 
 pack applied for SQL. I think that the latest MDAC prevents 
 attacks like this, but I could be wrong.

No, MDAC does nothing to prevent SQL injection attacks, which, after all,
use perfectly valid SQL statements.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444


__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Crosspost: Escaping single quotes

[Jeffry Houser]

  Isn't there a function (PreserveSingleQuotes) that does this?

At 11:38 AM 4/12/2002 -0400, you wrote:
Hi everybody,
 I'm having a problem with an update to a table - the problem is
when I want to update or insert the string Teacher's Group.  CF throws
an error at me when I try this.  I know that CF usually escapes the
single quote, but it's not in this case.  I know I saw a post with on
this list or CFDJList about there being a bug with escaping single
quotes
in CF4.5.  Anybody know how can I make CF escape the single quote for
insertion into my table?  Thanks

Matt Small





__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: CF-TALK in subject line

[Howie Hamlin]

Filter on the To header instead.  Most users don't want the extra text in the 
subject.

HTH,

--
Howie Hamlin - inFusion Project Manager
On-Line Data Solutions, Inc. - www.CoolFusion.com  - 631-737-4668 x101
inFusion Mail Server (iMS) - The Award-winning, Intelligent Mail Server
 Find out how iMS Stacks up to the competition: 
http://www.coolfusion.com/imssecomparison.cfm

- Original Message -
From: Mike Soultanian [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 11:38 AM
Subject: OT: CF-TALK in subject line


 Hello everyone,
 Sorry for the OT post...

 I just joined this list and I was wondering if there's a way to prepend
 CF-TALK to the subject line.  It's kinda difficult to differentiate this
 mail from my non-list mail.

 I understand the use of filters.. I just wanted to check if this list
 feature was available.

 Thanks!
 Mike
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Matthew R. Small]

No, that preserves single quotes.  I want to escape single quotes.

Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 11:32 AM
To: CF-Talk
Subject: Re: Crosspost: Escaping single quotes

  Isn't there a function (PreserveSingleQuotes) that does this?

At 11:38 AM 4/12/2002 -0400, you wrote:
Hi everybody,
 I'm having a problem with an update to a table - the problem
is
when I want to update or insert the string Teacher's Group.  CF
throws
an error at me when I try this.  I know that CF usually escapes the
single quote, but it's not in this case.  I know I saw a post with on
this list or CFDJList about there being a bug with escaping single
quotes
in CF4.5.  Anybody know how can I make CF escape the single quote for
insertion into my table?  Thanks

Matt Small






__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[BillyC]

Most RDBMS's escape ' as '', so :

#replace(str, ', '', all)#

---
Billy Cravens


-Original Message-
From: Matthew R. Small [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 10:56 AM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

No, that preserves single quotes.  I want to escape single quotes.

Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 11:32 AM
To: CF-Talk
Subject: Re: Crosspost: Escaping single quotes

  Isn't there a function (PreserveSingleQuotes) that does this?

At 11:38 AM 4/12/2002 -0400, you wrote:
Hi everybody,
 I'm having a problem with an update to a table - the problem
is
when I want to update or insert the string Teacher's Group.  CF
throws
an error at me when I try this.  I know that CF usually escapes the
single quote, but it's not in this case.  I know I saw a post with on
this list or CFDJList about there being a bug with escaping single
quotes
in CF4.5.  Anybody know how can I make CF escape the single quote for
insertion into my table?  Thanks

Matt Small







__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: OT: CF-TALK in subject line

[Critz]

oi Mike!!

why  not  just  create  a  rule and check for [EMAIL PROTECTED] in the
recipient field?


-- 
Critz
Certified Adv. ColdFusion Developer

Crit[s2k] - CF_ChannelOP Network=Efnet Channel=ColdFusion

Friday, April 12, 2002, 11:38:34 AM, you wrote:

MS Hello everyone,
MS Sorry for the OT post... 

MS I just joined this list and I was wondering if there's a way to prepend
MS CF-TALK to the subject line.  It's kinda difficult to differentiate this
MS mail from my non-list mail.

MS I understand the use of filters.. I just wanted to check if this list
MS feature was available.

MS Thanks!
MS Mike
MS 
__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Sending Message Alerts...

[Houk, Gary]

How is the best way to run the query every 30secs? Is it a scheduled
task, or javascript, or

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 11, 2002 4:47 PM
To: CF-Talk
Subject: RE: Sending Message Alerts...


hidden frames are the best way to do this. just a query that run in the
hidden frame and everything say 30 seconds or so, retireve the
information
from the server and then you can use javascript to paste the message to
another frame.

Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org


-Original Message-
From: Bryan Love [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 11, 2002 4:43 PM
To: CF-Talk
Subject: RE: Sending Message Alerts...


how complicated is the message?
you can do it with image pipes...

+---+
Bryan Love
  Macromedia Certified Professional
  Internet Application Developer
  Database Analyst
Telecommunication Systems
[EMAIL PROTECTED]
+---+

...'If there must be trouble, let it be in my day, that my child may
have
peace'...
- Thomas Paine, The American Crisis



-Original Message-
From: Houk, Gary [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 11, 2002 1:41 PM
To: CF-Talk
Subject: Sending Message Alerts...


We have an app that has roughly 4-5,000 users accessing it. We would
like to be able to push a message to the user at anytime without them
having to refresh a page. Is there a way to do this...Maybe using hidden
frames or flash???

Thanks,

- Gary



__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: CF-TALK in subject line

[cameronc]

In outlook, to avoid having to filter into different folders, you can actually create 
a filter which changes the color of the message.  This allows you to keep everything 
in one folder, but highlight cf-talk messages.  Same effect as a subject line.  I 
actually use this technique to highlight certain authors on the list who I know always 
post accurate and good information.

-Cameron

-
Cameron Childress
On Contract at BioLab Inc.
---
cell:  678-637-5072
aim:   cameroncf
email: [EMAIL PROTECTED]


Hello everyone,
Sorry for the OT post... 

I just joined this list and I was wondering if there's a way to prepend
CF-TALK to the subject line.  It's kinda difficult to differentiate this
mail from my non-list mail.

I understand the use of filters.. I just wanted to check if this list
feature was available.
__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Matthew R. Small]

Thanks for the try, but it didn't work.  Does anybody know how
ColdFusion escapes a single quote when inserting/updating a database?

- Matt Small

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 11:52 AM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

Most RDBMS's escape ' as '', so :

#replace(str, ', '', all)#

---
Billy Cravens


-Original Message-
From: Matthew R. Small [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 10:56 AM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

No, that preserves single quotes.  I want to escape single quotes.

Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 11:32 AM
To: CF-Talk
Subject: Re: Crosspost: Escaping single quotes

  Isn't there a function (PreserveSingleQuotes) that does this?

At 11:38 AM 4/12/2002 -0400, you wrote:
Hi everybody,
 I'm having a problem with an update to a table - the problem
is
when I want to update or insert the string Teacher's Group.  CF
throws
an error at me when I try this.  I know that CF usually escapes the
single quote, but it's not in this case.  I know I saw a post with on
this list or CFDJList about there being a bug with escaping single
quotes
in CF4.5.  Anybody know how can I make CF escape the single quote for
insertion into my table?  Thanks

Matt Small








__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[BillyC]

Let's say your query is:

Select productName from products where productID = #url.productid#

If the url is page.cfm?productid=2 then your db sees
Select productName from products where productID = 2

But if a hacker (I hate that term - may eternal scorn to given to
those who usurped the term and used it as a synonym for cracker)
enters this url:

Page.cfm?productid=2;delete%20from%20products

Then your DB sees:

Select productName from products where productsID = 2;delete from
products

---
Billy Cravens


-Original Message-
From: Yager, Brian T Contractor/NCCIM
[mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 10:36 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?

Dave,

Could you show me an example of an SQL injection attack?  I want to test
my app
to see what I need to do to protect against this.

Thanks,

Brian Yager
President - North AL Cold Fusion Users Group
Sr. Systems Analyst
NCCIM/CIC
[EMAIL PROTECTED]
(256) 842-8342


-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


 make sure you are at the latest MDAC and have all service 
 pack applied for SQL. I think that the latest MDAC prevents 
 attacks like this, but I could be wrong.

No, MDAC does nothing to prevent SQL injection attacks, which, after
all,
use perfectly valid SQL statements.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444



__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Tony_Petruzzi]

kewl link. they got some awesome info besides the sql stuff. good going
jeff!

Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org


-Original Message-
From: Garza, Jeff [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 11:37 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


There was a real good white paper from NGSSoftware.  It's called Advanced
SQL Injection and can be found near the bottom of this page.

http://www.nextgenss.com/research.html#papers

Frightening...

Jeff Garza
Lead Developer/Webmaster
Spectrum Astro, Inc.
[EMAIL PROTECTED]
http://www.spectrumastro.com


-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 8:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


That's what I thought.

Man, you think you're an expert, and then some 13 year old somewhere makes
you feel like a punk again :)

Is there a good paper on Macromedia.com about this? I read some of the stuff
but nothing seemed really on-point...

-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 8:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


 make sure you are at the latest MDAC and have all service pack applied 
 for SQL. I think that the latest MDAC prevents attacks like this, but 
 I could be wrong.

No, MDAC does nothing to prevent SQL injection attacks, which, after all,
use perfectly valid SQL statements.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444




__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[BillyC]

To build on what Dave said, I like to use separate datasources for
different permissions (easily set in CF Admin) - on most applications, I
like having datasourcename_read with read permissions,
datasourcename_delete with delete permissions, etc.  This doesn't
eliminate your problem, but it minimizes the risk of a delete, etc, on a
simple select query.  Of course, this should also be enforced at the DB
security level - if you have a select-only datasource, there's no reason
for the user for that dsn to have write permissions.

---
Billy Cravens


-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 10:40 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?

 Had some interesting errors in our logs yesterday. It 
 appears that someone's trying to hack our database by 
 inserting SQL query language into the URL string.
 
 We're doing all the standard security measures, including 
 filtering for single quotes, using database passwords, and 
 the like, and we locked out their IP immediately. But really, 
 how do you prevent this? Any ideas/feedback out there?

There are a number of things you can do to address this:

1. Apply a generic input filter to your web server.
2. Validate all data sent to your application.
3. Limit the application's rights to the database.
4. Use stored procedures exclusively.

Typically, you should at least do the second and third items listed. The
primary issue is one of data validation - making sure that values
contain
the appropriate datatype, and if they're string values, that they don't
contain metacharacters that would allow the execution of code. Another
essential item is to limit what rights your application has within the
database; typically, your application should only have rights to read
and
write data. If you use stored procedures exclusively, you can limit the
application's rights even further, only allowing it to execute the
stored
procedures. Note that you can do this entirely within the database:
create a
login and give it the specified rights, then use that login within your
application's datasource. You can also configure the datasource itself
to
limit rights, which is also good but is no substitute for doing so
within
the database itself.

As mentioned in the first item, you can use an input filter, which is a
piece of software you install on your web server. There are several
available for IIS, such as Microsoft's free URLScan tool or eEye's
SecureIIS:
http://www.microsoft.com/technet/security/
http://www.eeye.com/

I'd recommend that you perform data validation within your application
in
any case, though.

These sorts of issues are covered in Fig Leaf Software's Securing
ColdFusion Servers on Windows one-day seminar, if you're interested in
that:
http://training.figleaf.com/figleaftraining/Courses/Securing-ColdFusion-
Serv
ers-on-Windows.cfm

I'm also going to talk about input filtering at the CF_NORTH conference,
I
think:
http://www.cfnorth.com/Agenda/CFnorthCore.cfm?page=Topics

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444


__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Client/Session/CFID/CFconfused

[Mike Soultanian]

Hey Everyone,
Newbie here... just purchased a copy of Rob Brooks-Bilson's Programming
ColdFusion a few weeks back and I think I'm hooked on this stuff..

I have never done any previous database web dev. but I have done plenty
of HTML.  Well, I just built a message forum and database driven
calendar, and now I'm going to dig in and figure out user logins.  I was
looking at session/cookie/client variables and had a couple questions.

I would like to have my site remember a user's setting if they request
it.  So, I figure that I'll use a single cookie that stores a unique
user-id in a cookie and then request that cookie and reference it
against the user database for the rest of their configuration (username,
email, etc)

What I'm somewhat confused about is if I need to enable client
management to use cookies?  And do I need session management if I want
to make use of session variables, or does that just make the app create
CFID and CFTOKEN.  Here's what I'm guessing, and I was hoping someone
could tell me if I'm right or wrong..

cfapplication name = application_name
clientManagement = No
setClientCookies = No
sessionManagement = Yes/No??? - do I need this?
sessionTimeout = #CreateTimeSpan(0, 0, 30, 0)#
applicationTimeout = #CreateTimeSpan(0, 0, 30, 0)# 

Hopefully that makes sense...

Thanks!
Mike
-- 
[...]
__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[BillyC]

This is probably the biggest security problem with web applications.  It
boils down to securing and validating your input.  Most of these attacks
are successful only when you're evaluating a number - since a string
won't execute SQL, but only evaluate it as a string input.  So if you're
expecting numbers, then validate, using isNumeric() or CFQueryParam.  

---
Billy Cravens


-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 10:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?

Hi all,

Had some interesting errors in our logs yesterday. It appears that
someone's
trying to hack our database by inserting SQL query language into the URL
string.

We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like, and we locked out
their IP immediately. But really, how do you prevent this? Any
ideas/feedback out there?

Ian

Portent Interactive
Helping clients build customer relationships on the web since 1995
Consulting, design, development, measurement
http://www.portentinteractive.com


__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Rich Wild]

stored procedures are your friends.

they enforce strict datatypes.

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: 12 April 2002 17:11
 To: CF-Talk
 Subject: RE: Preventing SQL injection attacks...?
 
 
 This is probably the biggest security problem with web 
 applications.  It
 boils down to securing and validating your input.  Most of 
 these attacks
 are successful only when you're evaluating a number - since a string
 won't execute SQL, but only evaluate it as a string input.  
 So if you're
 expecting numbers, then validate, using isNumeric() or CFQueryParam.  
 
 ---
 Billy Cravens
 
 
 -Original Message-
 From: Ian Lurie [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, April 12, 2002 10:17 AM
 To: CF-Talk
 Subject: Preventing SQL injection attacks...?
 
 Hi all,
 
 Had some interesting errors in our logs yesterday. It appears that
 someone's
 trying to hack our database by inserting SQL query language 
 into the URL
 string.
 
 We're doing all the standard security measures, including 
 filtering for
 single quotes, using database passwords, and the like, and we 
 locked out
 their IP immediately. But really, how do you prevent this? Any
 ideas/feedback out there?
 
 Ian
 
 Portent Interactive
 Helping clients build customer relationships on the web since 1995
 Consulting, design, development, measurement
 http://www.portentinteractive.com
 
 
 
__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Client/Session/CFID/CFconfused

[Justin Scott]

Hi Mike, welcome to the CF community!

 I would like to have my site remember a user's setting if they request
 it.  So, I figure that I'll use a single cookie that stores a unique
 user-id in a cookie and then request that cookie and reference it
 against the user database for the rest of their configuration (username,
 email, etc)

For basic display prefs, a single value is fine, but once you start getting
into sites that require more security, consider using two cookies (an id and
a session hash) instead of just one.

 What I'm somewhat confused about is if I need to enable client
 management to use cookies?  And do I need session management if I want
 to make use of session variables, or does that just make the app create
 CFID and CFTOKEN.  Here's what I'm guessing, and I was hoping someone
 could tell me if I'm right or wrong..

If you just want to set your own cookies, client/session management does not
need to be enabled.  You should only leave these types of variables turned
on if you are planning on using them.

For what you're wanting to do, it would probably be wise to just disable
CF's state-management and use your own cookie(s) to handle the prefs.

Just remember that there are any number of ways to handle user sessions, and
you will get a different answer no matter who you ask.

-Justin Scott, Lead Developer
 Sceiron Internet Services, Inc.
 http://www.sceiron.com


__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Preventing SQL injection attacks...?

[Justin Scott]

 won't execute SQL, but only evaluate it as a string input.  So if you're
 expecting numbers, then validate, using isNumeric() or CFQueryParam.

Or if you know a value must be numeric, wrap a val() around it.  That will
knock any text strings down to 0 and prevent an SQL error from being thrown,
as well as allow your app to handle the empty record set just as if any
other invalid numeric value had been tossed at it.

-Justin Scott, Lead Developer
 Sceiron Internet Services, Inc.
 http://www.sceiron.com


__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Tony_Petruzzi]

you can't forget that form fields also play a part in this. after reading
the informaiton provided in jeff's link, it did shine a light. although i
have been taught from the beginning to always use val() around numberic
values (thank Adam) and to use regex to validate text input (props Raymond).
if your anal and take the time to make sure that the information that people
are passing you is in the extact fomrat you want, you shouldn't have a
problem. also, don't rely on javascript, i always do server-side validation
even after client side, just to make certain. i even go as far as putting as
much validation as i can into my stored procedures and triggers. although
SQL server doesn't support regular expressions , which sucks! anyone know a
way it could?

Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org


-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 12:36 PM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


 Could you show me an example of an SQL injection attack? I 
 want to test my app to see what I need to do to protect 
 against this.

All of these sorts of attacks rely on tampering with form or URL data to add
SQL statements directly to that data, on the assumption that the data may be
used in an SQL query, in which case the tampered data may execute within the
SQL database. Typically, you'll see examples where you've got a URL like
this:

http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable

However, in real life, typically you won't attacks like that because there's
nothing to gain from dropping a table or deleting records. Real attacks are
usually more subtle and useful to the attacker. One of my favorites is the
use of the SQL Server system stored procedure xp_cmdshell to open a command
shell, which can be used to fetch a file from an attacker's FTP server and
run it. That's much more interesting.

Note also that most of the examples you'll see will show tampered URL data,
but you can do the same thing with form data almost as easily.

Here's a URL which describes SQL injection attacks:
http://www.owasp.org/asac/input_validation/sql.shtml

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444


__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Preventing SQL injection attacks...?

[Brian Scandale]

There is a custom tag... cf_formfilter on the developers exchange that I've been 
using... It searches the caller.form.fieldnames structure looking for all sorts of 
nasty includes. 

After just reading it again I think I can also make it filter url submitted input as 
well.

Anyone here use or have comments on this tags limitations? Was an easy first step for 
me but I am suddenly worried about url hacks as well.

Brian



At 08:17 AM 4/12/02 -0700, you wrote:
Hi all,

Had some interesting errors in our logs yesterday. It appears that someone's
trying to hack our database by inserting SQL query language into the URL
string.

We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like, and we locked out
their IP immediately. But really, how do you prevent this? Any
ideas/feedback out there?

Ian

Portent Interactive
Helping clients build customer relationships on the web since 1995
Consulting, design, development, measurement
http://www.portentinteractive.com


__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Jeffry Houser]

  I am either confused about the functionality you want, or the 
functionality PreserveSingleQuotes provides.

  PreserveSingleQuotes preserves single quotes for database inserts by 
automatically escaping them.  It needs a variable as the value, not a 
string.  I'm assuming you already have Teacher's Group in a variable?

cfoutput
 cfset temp = Teacher's Group
 #PreserveSingleQuotes(temp)#
/cfoutput

  You could probably try to do something more using replace:

  #Replace(Teacher's Group, ', '', all)#

  will return:
   Teacher''s Group


At 11:55 AM 4/12/2002 -0400, you wrote:
No, that preserves single quotes.  I want to escape single quotes.

Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 11:32 AM
To: CF-Talk
Subject: Re: Crosspost: Escaping single quotes

   Isn't there a function (PreserveSingleQuotes) that does this?

At 11:38 AM 4/12/2002 -0400, you wrote:
 Hi everybody,
  I'm having a problem with an update to a table - the problem
is
 when I want to update or insert the string Teacher's Group.  CF
throws
 an error at me when I try this.  I know that CF usually escapes the
 single quote, but it's not in this case.  I know I saw a post with on
 this list or CFDJList about there being a bug with escaping single
 quotes
 in CF4.5.  Anybody know how can I make CF escape the single quote for
 insertion into my table?  Thanks
 
 Matt Small
 
 
 
 
 


__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Craig Thomas]

Page.cfm?productid=2;delete%20from%20products

Then your DB sees:

Select productName from products where productsID = 2;delete from
products

---


or worse : Page.cfm?productid=2;drop%table%products;

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 12:01 PM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


Let's say your query is:

Select productName from products where productID = #url.productid#

If the url is page.cfm?productid=2 then your db sees
Select productName from products where productID = 2

But if a hacker (I hate that term - may eternal scorn to given to
those who usurped the term and used it as a synonym for cracker)
enters this url:

Page.cfm?productid=2;delete%20from%20products

Then your DB sees:

Select productName from products where productsID = 2;delete from
products

---
Billy Cravens


-Original Message-
From: Yager, Brian T Contractor/NCCIM
[mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:36 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?

Dave,

Could you show me an example of an SQL injection attack?  I want to test
my app
to see what I need to do to protect against this.

Thanks,

Brian Yager
President - North AL Cold Fusion Users Group
Sr. Systems Analyst
NCCIM/CIC
[EMAIL PROTECTED]
(256) 842-8342


-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:30 AM
To: CF-Talk
Subject: RE: Preventing SQL injection attacks...?


 make sure you are at the latest MDAC and have all service
 pack applied for SQL. I think that the latest MDAC prevents
 attacks like this, but I could be wrong.

No, MDAC does nothing to prevent SQL injection attacks, which, after
all,
use perfectly valid SQL statements.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444




__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Printing from A Pop-up

[Mark Leder]

Works in IE 5 and 6, does not work in NS4.73 nor NS6.2.

Thanks,
Mark


-Original Message-
From: Tim Painter [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 11:14 AM
To: CF-Talk
Subject: Re: Printing from A Pop-up


Mark,
You can stick this in your head tag of the page:

link rel=alternate media=print href=someotherpage.cfm?var1=foo
So when the user clicks on print, it will request the page and print
that one instead.

I am not sure if it works on Netscape.

Tim P.

- Original Message -
From: Mark Leder [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 10:43 AM
Subject: Printing from A Pop-up


 I have a popup window with some summary content. When a button is 
 clicked in the popup (JS routine), I want to print a hidden page 
 with detailed content (the information is passed from the popup to the

 hidden page). I don't want the user to view the hidden page.

 Is this even possible?

 Thanks,
 Mark

 

__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Preventing SQL injection attacks...?

[Zac Spitzer]

[EMAIL PROTECTED] wrote:

you can't forget that form fields also play a part in this. after reading
the informaiton provided in jeff's link, it did shine a light. although i
have been taught from the beginning to always use val() around numberic
values (thank Adam) and to use regex to validate text input (props Raymond).
if your anal and take the time to make sure that the information that people
are passing you is in the extact fomrat you want, you shouldn't have a
problem. also, don't rely on javascript, i always do server-side validation
even after client side, just to make certain. i even go as far as putting as
much validation as i can into my stored procedures and triggers. although
SQL server doesn't support regular expressions , which sucks! anyone know a
way it could?

why not just use cfqueryparam, it validates and it makes your sql code 
run faster???

__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: CF - Problem with missing Form Data

[Tony_Petruzzi]

try renaming the field from JOB_ID to job. it think that might be an illegal
name. kinda like naming a field creation_date.

Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org


-Original Message-
From: Bryan Love [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:07 PM
To: CF-Talk
Subject: RE: CF - Problem with missing Form Data


did anyone ever solve this??

I had a similar problem years ago trying to pass 3,000-character strings
through hidden fields and I'm dying to know the answer...

-Original Message-
From: Vishal Narayan [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 10, 2002 8:42 PM
To: CF-Talk
Subject: CF - Problem with missing Form Data


We are using CF4.5 with IIS5 on W2K server and SQL 2000 DB for our website. 
I have a big problem with users getting random errors about missing 
parameters - either form data or url parameters. The required form fields 
are validated for using javascript, which ensures that the problem is not 
caused by necessary fields being left unfilled. A sample of such an error 
is shown below :


---
203.199.247.72 Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
An error occurred while evaluating the expression:
#form.job_id#
Error near line 57, column 13.

Error resolving parameter FORM.JOB_ID
The specified form field cannot be found. This problem is very likely due 
to the fact that you have misspelled the form field name.
The error occurred while processing an element with a general identifier of 
(#form.job_id#), occupying document position (57:12) to (57:24) in the 
template file D:\Inetpub\wwwroot\mysite\myfilename.cfm.



The page doing the referring is validated, and the error log shows that 
they are in fact being referred from the correct template. I know that the 
template doing the referring contains the specified form field. Is the 
browser somehow losing data? Is CF or IIS to blame ? Would like to know if 
anyone else has faced this problem, and what I can do to handle it.

Thanks in anticipation.

Vishal. 



__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Preventing SQL injection attacks...?

[Sharon Diorio]

cfparam type=date|numeric|string|boolean|UUID|... can be used for validating 
almost anything.  It's an underused function.

Sharon DiOrio

- Original Message - 
From: Justin Scott [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 12:30 PM
Subject: Re: Preventing SQL injection attacks...?


  won't execute SQL, but only evaluate it as a string input.  So if you're
  expecting numbers, then validate, using isNumeric() or CFQueryParam.
 
 Or if you know a value must be numeric, wrap a val() around it.  That will
 knock any text strings down to 0 and prevent an SQL error from being thrown,
 as well as allow your app to handle the empty record set just as if any
 other invalid numeric value had been tossed at it.
 
 -Justin Scott, Lead Developer
  Sceiron Internet Services, Inc.
  http://www.sceiron.com
 
 
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Matthew R. Small]

From the CF4.5 Language Reference -
PreserveSingleQuotes -
Prevents ColdFusion from automatically escaping single
quotes  contained in variable.

What is going on is I have a CFGRID that I have to manually update
because it throws an error if I use CFGRIDUPDATE.  My own code which
does the update and insert works perfect except when it encounters the
string Teacher's.   For some reason that I don't know, the single
quote does not get escaped when I pull it from the variable
FORM.EDITTABLE.SIZE[i].  I can't figure out what to do.  I want the
single quote to be escaped so that it will insert into the database
without error.  I've already tried the function
#Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work
for me.  Anybody got any ideas what's going on?

Thanks,

- Matt Small



-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 12:49 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

  I am either confused about the functionality you want, or the 
functionality PreserveSingleQuotes provides.

  PreserveSingleQuotes preserves single quotes for database inserts by 
automatically escaping them.  It needs a variable as the value, not a 
string.  I'm assuming you already have Teacher's Group in a variable?

cfoutput
 cfset temp = Teacher's Group
 #PreserveSingleQuotes(temp)#
/cfoutput

  You could probably try to do something more using replace:

  #Replace(Teacher's Group, ', '', all)#

  will return:
   Teacher''s Group


At 11:55 AM 4/12/2002 -0400, you wrote:
No, that preserves single quotes.  I want to escape single quotes.

Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 11:32 AM
To: CF-Talk
Subject: Re: Crosspost: Escaping single quotes

   Isn't there a function (PreserveSingleQuotes) that does this?

At 11:38 AM 4/12/2002 -0400, you wrote:
 Hi everybody,
  I'm having a problem with an update to a table - the problem
is
 when I want to update or insert the string Teacher's Group.  CF
throws
 an error at me when I try this.  I know that CF usually escapes the
 single quote, but it's not in this case.  I know I saw a post with on
 this list or CFDJList about there being a bug with escaping single
 quotes
 in CF4.5.  Anybody know how can I make CF escape the single quote for
 insertion into my table?  Thanks
 
 Matt Small
 
 
 
 
 



__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Tony_Petruzzi]

this still doesn't look like it would stop someone from entering in a ' into
the string and then executing a sql statement.

Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org


-Original Message-
From: Sharon Diorio [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:37 PM
To: CF-Talk
Subject: Re: Preventing SQL injection attacks...?


cfparam type=date|numeric|string|boolean|UUID|... can be used for
validating almost anything.  It's an underused function.

Sharon DiOrio

- Original Message - 
From: Justin Scott [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 12:30 PM
Subject: Re: Preventing SQL injection attacks...?


  won't execute SQL, but only evaluate it as a string input.  So if you're
  expecting numbers, then validate, using isNumeric() or CFQueryParam.
 
 Or if you know a value must be numeric, wrap a val() around it.  That will
 knock any text strings down to 0 and prevent an SQL error from being
thrown,
 as well as allow your app to handle the empty record set just as if any
 other invalid numeric value had been tossed at it.
 
 -Justin Scott, Lead Developer
  Sceiron Internet Services, Inc.
  http://www.sceiron.com
 
 
 

__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Jeffry Houser]

  What error are you getting?  What database are you using?  Have you tried 
outputting the data after you submit it to see what you are getting?


At 01:38 PM 4/12/2002 -0400, you wrote:
 From the CF4.5 Language Reference -
 PreserveSingleQuotes -
 Prevents ColdFusion from automatically escaping single
quotes  contained in variable.

What is going on is I have a CFGRID that I have to manually update
because it throws an error if I use CFGRIDUPDATE.  My own code which
does the update and insert works perfect except when it encounters the
string Teacher's.   For some reason that I don't know, the single
quote does not get escaped when I pull it from the variable
FORM.EDITTABLE.SIZE[i].  I can't figure out what to do.  I want the
single quote to be escaped so that it will insert into the database
without error.  I've already tried the function
#Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work
for me.  Anybody got any ideas what's going on?

Thanks,

- Matt Small



-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 12:49 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

   I am either confused about the functionality you want, or the
functionality PreserveSingleQuotes provides.

   PreserveSingleQuotes preserves single quotes for database inserts by
automatically escaping them.  It needs a variable as the value, not a
string.  I'm assuming you already have Teacher's Group in a variable?

cfoutput
  cfset temp = Teacher's Group
  #PreserveSingleQuotes(temp)#
/cfoutput

   You could probably try to do something more using replace:

   #Replace(Teacher's Group, ', '', all)#

   will return:
Teacher''s Group


At 11:55 AM 4/12/2002 -0400, you wrote:
 No, that preserves single quotes.  I want to escape single quotes.
 
 Thanks,
 Matt Small
 
 -Original Message-
 From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 11:32 AM
 To: CF-Talk
 Subject: Re: Crosspost: Escaping single quotes
 
Isn't there a function (PreserveSingleQuotes) that does this?
 
 At 11:38 AM 4/12/2002 -0400, you wrote:
  Hi everybody,
   I'm having a problem with an update to a table - the problem
 is
  when I want to update or insert the string Teacher's Group.  CF
 throws
  an error at me when I try this.  I know that CF usually escapes the
  single quote, but it's not in this case.  I know I saw a post with on
  this list or CFDJList about there being a bug with escaping single
  quotes
  in CF4.5.  Anybody know how can I make CF escape the single quote for
  insertion into my table?  Thanks
  
  Matt Small
  
  
  
  
  
 
 


__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: RE: Preventing SQL injection attacks...?

[ksuh]

cfqueryparam does in fact prevent that code from running.  
cfqueryparam creates a prepared statement with parameters.  It then 
compares what you've entered as a value with the datatype you've 
specified and, if successful, binds the parameters with what you've 
entered.  So, if you entered:

select * from table where id = cfqueryparam value=#url.id# 
cfsqltype=CF_SQL_DECIMAL

and then in your url entered: id=12;drop table yourtable

It would through you an error.

As well, if you had:

select * from table where id = cfqueryparam value=#url.id# 
cfsqltype=CF_SQL_VARCHAR

It would create the equivalent SQL statement of:

select * from table where id = '12;drop table yourtable'

- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?

 let's say you have a text field that is 100 characters long. you 
 can still
 get a drop table tablename appended to the sql statement or 
 write an
 entire sql statment. Cfqueryparam was meant to speed up cfquery, 
 not be to a
 cure all.
 
 Anthony Petruzzi
 Webmaster
 954-321-4703
 [EMAIL PROTECTED]
 http://www.sheriff.org
 
 
 -Original Message-
 From: Zac Spitzer [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:06 PM
 To: CF-Talk
 Subject: Re: Preventing SQL injection attacks...?
 
 
 [EMAIL PROTECTED] wrote:
 
 you can't forget that form fields also play a part in this. after 
 readingthe informaiton provided in jeff's link, it did shine a 
 light. although i
 have been taught from the beginning to always use val() around 
 numbericvalues (thank Adam) and to use regex to validate text 
 input (props
 Raymond).
 if your anal and take the time to make sure that the information that
 people
 are passing you is in the extact fomrat you want, you shouldn't 
 have a
 problem. also, don't rely on javascript, i always do server-side 
 validationeven after client side, just to make certain. i even go 
 as far as putting
 as
 much validation as i can into my stored procedures and triggers. 
 althoughSQL server doesn't support regular expressions , which 
 sucks! anyone know a
 way it could?
 
 why not just use cfqueryparam, it validates and it makes your sql 
 code 
 run faster???
 
 
 
__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: RE: Deadlock

[ksuh]

This is not a CF error.  This is a SQL Server error.  What are you 
doing in your SQL that would cause such deadlocks?

- Original Message -
From: Semrau, Steven L Mr RDAISA/SRA 
[EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:39 am
Subject: RE: Deadlock

 Read up on CFLOCK  it talks about Deadlocks and the possible 
 reasons why.
 
 -Original Message-
 From: Justin Waldrip [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:10 PM
 To: CF-Talk
 Subject: Deadlock
 
 
 Your transaction (process ID #39) was deadlocked with another process
 and has been chosen as the deadlock victim. Rerun your transaction.
 
 I am receiving quite a few of these errors in a row. Where is a good
 place to start looking for things that might cause this?
 
 Thanks,
 
 Justin
 
 
 
 
__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Matthew R. Small]

This is the offending line:
,SIZE = '#FORM.EDITTABLE.SIZE[i]#'


and the cfoutput of that line:

,SIZE = 'Teacher's Solo'



Here is the error:

ODBC Error Code = 37000 (Syntax error or access violation)


[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive'
where id = 1'.


If I remove the line where Teacher's Solo occurs then it works great.

- Matt Small



-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 1:37 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

  What error are you getting?  What database are you using?  Have you
tried 
outputting the data after you submit it to see what you are getting?


At 01:38 PM 4/12/2002 -0400, you wrote:
 From the CF4.5 Language Reference -
 PreserveSingleQuotes -
 Prevents ColdFusion from automatically escaping
single
quotes  contained in variable.

What is going on is I have a CFGRID that I have to manually update
because it throws an error if I use CFGRIDUPDATE.  My own code which
does the update and insert works perfect except when it encounters the
string Teacher's.   For some reason that I don't know, the single
quote does not get escaped when I pull it from the variable
FORM.EDITTABLE.SIZE[i].  I can't figure out what to do.  I want the
single quote to be escaped so that it will insert into the database
without error.  I've already tried the function
#Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't work
for me.  Anybody got any ideas what's going on?

Thanks,

- Matt Small



-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 12:49 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

   I am either confused about the functionality you want, or the
functionality PreserveSingleQuotes provides.

   PreserveSingleQuotes preserves single quotes for database inserts by
automatically escaping them.  It needs a variable as the value, not a
string.  I'm assuming you already have Teacher's Group in a variable?

cfoutput
  cfset temp = Teacher's Group
  #PreserveSingleQuotes(temp)#
/cfoutput

   You could probably try to do something more using replace:

   #Replace(Teacher's Group, ', '', all)#

   will return:
Teacher''s Group


At 11:55 AM 4/12/2002 -0400, you wrote:
 No, that preserves single quotes.  I want to escape single quotes.
 
 Thanks,
 Matt Small
 
 -Original Message-
 From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 11:32 AM
 To: CF-Talk
 Subject: Re: Crosspost: Escaping single quotes
 
Isn't there a function (PreserveSingleQuotes) that does this?
 
 At 11:38 AM 4/12/2002 -0400, you wrote:
  Hi everybody,
   I'm having a problem with an update to a table - the
problem
 is
  when I want to update or insert the string Teacher's Group.  CF
 throws
  an error at me when I try this.  I know that CF usually escapes the
  single quote, but it's not in this case.  I know I saw a post with
on
  this list or CFDJList about there being a bug with escaping single
  quotes
  in CF4.5.  Anybody know how can I make CF escape the single quote
for
  insertion into my table?  Thanks
  
  Matt Small
  
  
  
  
  
 
 



__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

FW: Preventing SQL injection attacks...?

[Yager, Brian T Contractor/NCCIM]

Sorry Dave...Didn't mean to send that just to you...My mistake!



I never really thought of anything like this.  Can session variables be
compromised doing the same thing..

http://mydomain.com/index.cfm?session.password=whatever

If so, this would be very upsetting to me.  

Thanks,

Brian Yager
President - North AL Cold Fusion Users Group
Sr. Systems Analyst
NCCIM/CIC
[EMAIL PROTECTED]
(256) 842-8342


-Original Message-
From: Dave Watts [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 11:36 AM
To: '[EMAIL PROTECTED]'
Cc: '[EMAIL PROTECTED]'
Subject: RE: Preventing SQL injection attacks...?


 Could you show me an example of an SQL injection attack? I 
 want to test my app to see what I need to do to protect 
 against this.

All of these sorts of attacks rely on tampering with form or URL data to add
SQL statements directly to that data, on the assumption that the data may be
used in an SQL query, in which case the tampered data may execute within the
SQL database. Typically, you'll see examples where you've got a URL like
this:

http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable

However, in real life, typically you won't attacks like that because there's
nothing to gain from dropping a table or deleting records. Real attacks are
usually more subtle and useful to the attacker. One of my favorites is the
use of the SQL Server system stored procedure xp_cmdshell to open a command
shell, which can be used to fetch a file from an attacker's FTP server and
run it. That's much more interesting.

Note also that most of the examples you'll see will show tampered URL data,
but you can do the same thing with form data almost as easily.

Here's a URL which describes SQL injection attacks:
http://www.owasp.org/asac/input_validation/sql.shtml

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: FW: Preventing SQL injection attacks...?

[ksuh]

No.  That would end up the URL scope:

url.session.password

- Original Message -
From: Yager, Brian T Contractor/NCCIM [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:55 am
Subject: FW: Preventing SQL injection attacks...?

 Sorry Dave...Didn't mean to send that just to you...My mistake!
 
 
 
 I never really thought of anything like this.  Can session 
 variables be
 compromised doing the same thing..
 
 http://mydomain.com/index.cfm?session.password=whatever
 
 If so, this would be very upsetting to me.  
 
 Thanks,
 
 Brian Yager
 President - North AL Cold Fusion Users Group
 Sr. Systems Analyst
 NCCIM/CIC
 [EMAIL PROTECTED]
 (256) 842-8342
 
 
 -Original Message-
 From: Dave Watts [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 11:36 AM
 To: '[EMAIL PROTECTED]'
 Cc: '[EMAIL PROTECTED]'
 Subject: RE: Preventing SQL injection attacks...?
 
 
  Could you show me an example of an SQL injection attack? I 
  want to test my app to see what I need to do to protect 
  against this.
 
 All of these sorts of attacks rely on tampering with form or URL 
 data to add
 SQL statements directly to that data, on the assumption that the 
 data may be
 used in an SQL query, in which case the tampered data may execute 
 within the
 SQL database. Typically, you'll see examples where you've got a 
 URL like
 this:
 
 http://www.myserver.com/myfile.cfm?id=5;drop%20table%20mytable
 
 However, in real life, typically you won't attacks like that 
 because there's
 nothing to gain from dropping a table or deleting records. Real 
 attacks are
 usually more subtle and useful to the attacker. One of my 
 favorites is the
 use of the SQL Server system stored procedure xp_cmdshell to open 
 a command
 shell, which can be used to fetch a file from an attacker's FTP 
 server and
 run it. That's much more interesting.
 
 Note also that most of the examples you'll see will show tampered 
 URL data,
 but you can do the same thing with form data almost as easily.
 
 Here's a URL which describes SQL injection attacks:
 http://www.owasp.or
 
 Dave Watts, CTO, Fig Leaf Software
 http://www.figleaf.com/
 voice: (202) 797-5496
 fax: (202) 797-5444
 
__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Shawn Grover]

I haven't used this tag, but did write an in-house UDF that is called in
Application.cfm.  It simply loops through all form, url, and cookie
parameters and replaces a single quote with chr(96) (hope I got that right),
and strips HTML tags.  It would be very easy to change this to also strip
out semi-colons.  The logic/code required is very simple to do.  There's a
few samples of stuff like this at www.cflib.org.

This is a filtering method, and may not catch everything, but with this, and
our use of stored procs where we can, and CFQUERYPARAM, I don't think we are
open to this attack.  hmmm... I better go test that to be sure grins

Shawn Grover

-Original Message-
From: Brian Scandale [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:53 AM
To: CF-Talk
Subject: Re: Preventing SQL injection attacks...?


There is a custom tag... cf_formfilter on the developers exchange that
I've been using... It searches the caller.form.fieldnames structure looking
for all sorts of nasty includes.

After just reading it again I think I can also make it filter url submitted
input as well.

Anyone here use or have comments on this tags limitations? Was an easy first
step for me but I am suddenly worried about url hacks as well.

Brian



At 08:17 AM 4/12/02 -0700, you wrote:
Hi all,

Had some interesting errors in our logs yesterday. It appears that
someone's
trying to hack our database by inserting SQL query language into the URL
string.

We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like, and we locked out
their IP immediately. But really, how do you prevent this? Any
ideas/feedback out there?

Ian

Portent Interactive
Helping clients build customer relationships on the web since 1995
Consulting, design, development, measurement
http://www.portentinteractive.com



__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

CFMAIL Attachment prob...

[Yves Arsenault]

This is a sample of code:

cfdirectory action=LIST
directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\
name=mydir

cfmail from=#email_from# to=#email_to# bcc=#email_bcc#
cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com
cfmailparam name=Reply-To value=Administrateur
[EMAIL PROTECTED]
Thank you for trying

From:#email_from#
To:#email_to#
Cc:#email_cc#
Bcc:#email_bcc#
Date:#DateFormat(email_dateSent,dd/mm/)#
Subject: #email_sujet#

Body:
#email_body#


cfmailparam
file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name#
/cfmail

I've been getting this message:
Unable to attach file.
Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the
mail message.
 The file does not exist.
The error occurred while processing an element with a general identifier of
(CFMAIL), occupying document position (8:1) to (8:130).

The path in the CFMAILPARAM tag is supposed to be the actual address on the
server.
At least that's what I was told this afternoon by one of the techs.

Any Ideas?

Also, can I use something like ExpandPath(//attach/#whatever#) in a
CFMAILPARAM tag?

Thanks alot all,
I work in a school with alot of kids around..my brain is turning to
fudge from all the noise!!
Yves Arsenault
Carrefour Infotech
5,promenade Acadian
Charlottetown, IPE
C1C 1M2
[EMAIL PROTECTED]
(902)368-1895 ext.242
ICQ #117650823



__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: RE: Preventing SQL injection attacks...?

[Tony_Petruzzi]

still. if i had the value

tony ' drop table tablename--

and a cfqueryparam with a type of CF_SQL_VARCHAR

it would still pass in the value as such

select * from mytable where username = 'tony ' drop table tablename--'

which would cause the table to be dropped.


Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:45 PM
To: CF-Talk
Subject: Re: RE: Preventing SQL injection attacks...?


cfqueryparam does in fact prevent that code from running.  
cfqueryparam creates a prepared statement with parameters.  It then 
compares what you've entered as a value with the datatype you've 
specified and, if successful, binds the parameters with what you've 
entered.  So, if you entered:

select * from table where id = cfqueryparam value=#url.id# 
cfsqltype=CF_SQL_DECIMAL

and then in your url entered: id=12;drop table yourtable

It would through you an error.

As well, if you had:

select * from table where id = cfqueryparam value=#url.id# 
cfsqltype=CF_SQL_VARCHAR

It would create the equivalent SQL statement of:

select * from table where id = '12;drop table yourtable'

- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?

 let's say you have a text field that is 100 characters long. you 
 can still
 get a drop table tablename appended to the sql statement or 
 write an
 entire sql statment. Cfqueryparam was meant to speed up cfquery, 
 not be to a
 cure all.
 
 Anthony Petruzzi
 Webmaster
 954-321-4703
 [EMAIL PROTECTED]
 http://www.sheriff.org
 
 
 -Original Message-
 From: Zac Spitzer [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:06 PM
 To: CF-Talk
 Subject: Re: Preventing SQL injection attacks...?
 
 
 [EMAIL PROTECTED] wrote:
 
 you can't forget that form fields also play a part in this. after 
 readingthe informaiton provided in jeff's link, it did shine a 
 light. although i
 have been taught from the beginning to always use val() around 
 numbericvalues (thank Adam) and to use regex to validate text 
 input (props
 Raymond).
 if your anal and take the time to make sure that the information that
 people
 are passing you is in the extact fomrat you want, you shouldn't 
 have a
 problem. also, don't rely on javascript, i always do server-side 
 validationeven after client side, just to make certain. i even go 
 as far as putting
 as
 much validation as i can into my stored procedures and triggers. 
 althoughSQL server doesn't support regular expressions , which 
 sucks! anyone know a
 way it could?
 
 why not just use cfqueryparam, it validates and it makes your sql 
 code 
 run faster???
 
 
 

__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Preventing SQL injection attacks...?

[Hoffman, Joe (CIT)]

http://www.houseoffusion.com/hof/security/database.cfm

Joe Hoffman mailto:[EMAIL PROTECTED]
National Institutes of Health 
Center for Information Technology 
Division of Computer System Services

-Original Message-
From: Ian Lurie [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 11:17 AM
To: CF-Talk
Subject: Preventing SQL injection attacks...?


Hi all,

Had some interesting errors in our logs yesterday. It appears that someone's
trying to hack our database by inserting SQL query language into the URL
string.

We're doing all the standard security measures, including filtering for
single quotes, using database passwords, and the like, and we locked out
their IP immediately. But really, how do you prevent this? Any
ideas/feedback out there?

Ian

Portent Interactive
Helping clients build customer relationships on the web since 1995
Consulting, design, development, measurement
http://www.portentinteractive.com


__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: RE: Deadlock

[Craig Thomas]

are you using cftransaction tags?


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:50 PM
To: CF-Talk
Subject: Re: RE: Deadlock


This is not a CF error.  This is a SQL Server error.  What are you
doing in your SQL that would cause such deadlocks?

- Original Message -
From: Semrau, Steven L Mr RDAISA/SRA
[EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:39 am
Subject: RE: Deadlock

 Read up on CFLOCK  it talks about Deadlocks and the possible
 reasons why.

 -Original Message-
 From: Justin Waldrip [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:10 PM
 To: CF-Talk
 Subject: Deadlock


 Your transaction (process ID #39) was deadlocked with another process
 and has been chosen as the deadlock victim. Rerun your transaction.

 I am receiving quite a few of these errors in a row. Where is a good
 place to start looking for things that might cause this?

 Thanks,

 Justin





__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: RE: Preventing SQL injection attacks...?

[Ian Lurie]

What if you added a replace statement, doubling up on all single quotes?...

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:47 AM
To: CF-Talk
Subject: RE: RE: Preventing SQL injection attacks...?


still. if i had the value

tony ' drop table tablename--

and a cfqueryparam with a type of CF_SQL_VARCHAR

it would still pass in the value as such

select * from mytable where username = 'tony ' drop table tablename--'

which would cause the table to be dropped.


Anthony Petruzzi
Webmaster
954-321-4703
[EMAIL PROTECTED]
http://www.sheriff.org


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:45 PM
To: CF-Talk
Subject: Re: RE: Preventing SQL injection attacks...?


cfqueryparam does in fact prevent that code from running.
cfqueryparam creates a prepared statement with parameters.  It then
compares what you've entered as a value with the datatype you've
specified and, if successful, binds the parameters with what you've
entered.  So, if you entered:

select * from table where id = cfqueryparam value=#url.id#
cfsqltype=CF_SQL_DECIMAL

and then in your url entered: id=12;drop table yourtable

It would through you an error.

As well, if you had:

select * from table where id = cfqueryparam value=#url.id#
cfsqltype=CF_SQL_VARCHAR

It would create the equivalent SQL statement of:

select * from table where id = '12;drop table yourtable'

- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?

 let's say you have a text field that is 100 characters long. you
 can still
 get a drop table tablename appended to the sql statement or
 write an
 entire sql statment. Cfqueryparam was meant to speed up cfquery,
 not be to a
 cure all.

 Anthony Petruzzi
 Webmaster
 954-321-4703
 [EMAIL PROTECTED]
 http://www.sheriff.org


 -Original Message-
 From: Zac Spitzer [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:06 PM
 To: CF-Talk
 Subject: Re: Preventing SQL injection attacks...?


 [EMAIL PROTECTED] wrote:

 you can't forget that form fields also play a part in this. after
 readingthe informaiton provided in jeff's link, it did shine a
 light. although i
 have been taught from the beginning to always use val() around
 numbericvalues (thank Adam) and to use regex to validate text
 input (props
 Raymond).
 if your anal and take the time to make sure that the information that
 people
 are passing you is in the extact fomrat you want, you shouldn't
 have a
 problem. also, don't rely on javascript, i always do server-side
 validationeven after client side, just to make certain. i even go
 as far as putting
 as
 much validation as i can into my stored procedures and triggers.
 althoughSQL server doesn't support regular expressions , which
 sucks! anyone know a
 way it could?
 
 why not just use cfqueryparam, it validates and it makes your sql
 code
 run faster???





__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: CFMAIL Attachment prob...

[Douglas Brown]

Sample...first the file has to be uplloaded to the server


CFFILE ACTION=upload filefield=fileToSend destination=D:\mail_files\
nameconflict=MAKEUNIQUE
CFMAIL server=mail.ircproductions.com
 TO=
 FROM=
 SUBJECT=
 CFMAILPARAM file=D:\mail_files\#file.serverFile#
/CFMAIL


Success is a journey, not a destination!!



Doug Brown
- Original Message -
From: Yves Arsenault [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 11:09 AM
Subject: CFMAIL Attachment prob...


 This is a sample of code:

 cfdirectory action=LIST
 directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\
 name=mydir

 cfmail from=#email_from# to=#email_to# bcc=#email_bcc#
 cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com
 cfmailparam name=Reply-To value=Administrateur
 [EMAIL PROTECTED]
 Thank you for trying

 From:#email_from#
 To:#email_to#
 Cc:#email_cc#
 Bcc:#email_bcc#
 Date:#DateFormat(email_dateSent,dd/mm/)#
 Subject: #email_sujet#

 Body:
 #email_body#


 cfmailparam
 file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name#
 /cfmail

 I've been getting this message:
 Unable to attach file.
 Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the
 mail message.
  The file does not exist.
 The error occurred while processing an element with a general identifier of
 (CFMAIL), occupying document position (8:1) to (8:130).

 The path in the CFMAILPARAM tag is supposed to be the actual address on the
 server.
 At least that's what I was told this afternoon by one of the techs.

 Any Ideas?

 Also, can I use something like ExpandPath(//attach/#whatever#) in a
 CFMAILPARAM tag?

 Thanks alot all,
 I work in a school with alot of kids around..my brain is turning to
 fudge from all the noise!!
 Yves Arsenault
 Carrefour Infotech
 5,promenade Acadian
 Charlottetown, IPE
 C1C 1M2
 [EMAIL PROTECTED]
 (902)368-1895 ext.242
 ICQ #117650823



 
__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: CFMAIL Attachment prob...

[Yves Arsenault]

My upload code goes like this (sorry I didn't include it):
cfif IsDefined(FORM.Attach1)
cffile action=UPLOAD
destination=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\
nameconflict=MAKEUNIQUE filefield=attach1
cfset CLIENT.Attach1Name=CFFILE.ClientFile
cfset CLIENT.Attach1Size=CFFILE.FileSize
cfif CLIENT.Attach1Size GT SizeLimit
cffile action=DELETE
file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#CLIENT.Attach1Nam
e#
cfset DeleteClientVariable(Attach1Name)
cfset DeleteClientVariable(Attach1Size)
cflocation url=dspAdmAttach.cfm?FileBig=yes
/cfif
cflocation url=dspAdmAttach.cfm?list=Attach2

/cfif

It also runs a check on the file size with the SizeLimit Var.

I also check the Directory with my FTP client after it was uploaded and it
was there, I just get that error with the CFMAILPARAM tag...

Yves



-Original Message-
From: Douglas Brown [mailto:[EMAIL PROTECTED]]
Sent: April 12, 2002 3:36 PM
To: CF-Talk
Subject: Re: CFMAIL Attachment prob...


Sample...first the file has to be uplloaded to the server


CFFILE ACTION=upload filefield=fileToSend destination=D:\mail_files\
nameconflict=MAKEUNIQUE
CFMAIL server=mail.ircproductions.com
 TO=
 FROM=
 SUBJECT=
 CFMAILPARAM file=D:\mail_files\#file.serverFile#
/CFMAIL


Success is a journey, not a destination!!



Doug Brown
- Original Message -
From: Yves Arsenault [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 11:09 AM
Subject: CFMAIL Attachment prob...


 This is a sample of code:

 cfdirectory action=LIST
 directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\
 name=mydir

 cfmail from=#email_from# to=#email_to# bcc=#email_bcc#
 cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com
 cfmailparam name=Reply-To value=Administrateur
 [EMAIL PROTECTED]
 Thank you for trying

 From:#email_from#
 To:#email_to#
 Cc:#email_cc#
 Bcc:#email_bcc#
 Date:#DateFormat(email_dateSent,dd/mm/)#
 Subject: #email_sujet#

 Body:
 #email_body#


 cfmailparam
 file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name#
 /cfmail

 I've been getting this message:
 Unable to attach file.
 Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to
the
 mail message.
  The file does not exist.
 The error occurred while processing an element with a general identifier
of
 (CFMAIL), occupying document position (8:1) to (8:130).

 The path in the CFMAILPARAM tag is supposed to be the actual address on
the
 server.
 At least that's what I was told this afternoon by one of the techs.

 Any Ideas?

 Also, can I use something like ExpandPath(//attach/#whatever#) in a
 CFMAILPARAM tag?

 Thanks alot all,
 I work in a school with alot of kids around..my brain is turning
to
 fudge from all the noise!!
 Yves Arsenault
 Carrefour Infotech
 5,promenade Acadian
 Charlottetown, IPE
 C1C 1M2
 [EMAIL PROTECTED]
 (902)368-1895 ext.242
 ICQ #117650823





__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: CFMAIL Attachment prob...

[Douglas Brown]

try this


 CFMAILPARAM
file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#file.serverfile#




Success is a journey, not a destination!!



Doug Brown
- Original Message -
From: Yves Arsenault [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 11:43 AM
Subject: RE: CFMAIL Attachment prob...


 My upload code goes like this (sorry I didn't include it):
 cfif IsDefined(FORM.Attach1)
 cffile action=UPLOAD
 destination=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\
 nameconflict=MAKEUNIQUE filefield=attach1
 cfset CLIENT.Attach1Name=CFFILE.ClientFile
 cfset CLIENT.Attach1Size=CFFILE.FileSize
 cfif CLIENT.Attach1Size GT SizeLimit
 cffile action=DELETE
 file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#CLIENT.Attach1Nam
 e#
 cfset DeleteClientVariable(Attach1Name)
 cfset DeleteClientVariable(Attach1Size)
 cflocation url=dspAdmAttach.cfm?FileBig=yes
 /cfif
 cflocation url=dspAdmAttach.cfm?list=Attach2

 /cfif

 It also runs a check on the file size with the SizeLimit Var.

 I also check the Directory with my FTP client after it was uploaded and it
 was there, I just get that error with the CFMAILPARAM tag...

 Yves



 -Original Message-
 From: Douglas Brown [mailto:[EMAIL PROTECTED]]
 Sent: April 12, 2002 3:36 PM
 To: CF-Talk
 Subject: Re: CFMAIL Attachment prob...


 Sample...first the file has to be uplloaded to the server


 CFFILE ACTION=upload filefield=fileToSend destination=D:\mail_files\
 nameconflict=MAKEUNIQUE
 CFMAIL server=mail.ircproductions.com
  TO=
  FROM=
  SUBJECT=
  CFMAILPARAM file=D:\mail_files\#file.serverFile#
 /CFMAIL


 Success is a journey, not a destination!!



 Doug Brown
 - Original Message -
 From: Yves Arsenault [EMAIL PROTECTED]
 To: CF-Talk [EMAIL PROTECTED]
 Sent: Friday, April 12, 2002 11:09 AM
 Subject: CFMAIL Attachment prob...


  This is a sample of code:
 
  cfdirectory action=LIST
  directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\
  name=mydir
 
  cfmail from=#email_from# to=#email_to# bcc=#email_bcc#
  cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com
  cfmailparam name=Reply-To value=Administrateur
  [EMAIL PROTECTED]
  Thank you for trying
 
  From:#email_from#
  To:#email_to#
  Cc:#email_cc#
  Bcc:#email_bcc#
  Date:#DateFormat(email_dateSent,dd/mm/)#
  Subject: #email_sujet#
 
  Body:
  #email_body#
 
 
  cfmailparam
  file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name#
  /cfmail
 
  I've been getting this message:
  Unable to attach file.
  Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to
 the
  mail message.
   The file does not exist.
  The error occurred while processing an element with a general identifier
 of
  (CFMAIL), occupying document position (8:1) to (8:130).
 
  The path in the CFMAILPARAM tag is supposed to be the actual address on
 the
  server.
  At least that's what I was told this afternoon by one of the techs.
 
  Any Ideas?
 
  Also, can I use something like ExpandPath(//attach/#whatever#) in a
  CFMAILPARAM tag?
 
  Thanks alot all,
  I work in a school with alot of kids around..my brain is turning
 to
  fudge from all the noise!!
  Yves Arsenault
  Carrefour Infotech
  5,promenade Acadian
  Charlottetown, IPE
  C1C 1M2
  [EMAIL PROTECTED]
  (902)368-1895 ext.242
  ICQ #117650823
 
 
 
 

 
__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Deadlock

[Bryan Love]

It's important to first understand the nature of a deadlock.

Let's say you have the following two chunks of code anywhere in your app:

CFLOCK session.myVar1 and read session.myVar2 inside the lock 

CFLOCK session.myVar2 and read session.myVar1 inside the lock

If these two chunks of code are ever executed by different threads at the
same time you  have a deadlock because each lock is waiting for the other to
finish.

Look through your code and make sure you don't have any issues like this one

Bryan Love

-Original Message-
From: Justin Waldrip [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 10:10 AM
To: CF-Talk
Subject: Deadlock


Your transaction (process ID #39) was deadlocked with another process
and has been chosen as the deadlock victim. Rerun your transaction.
 
I am receiving quite a few of these errors in a row. Where is a good
place to start looking for things that might cause this?
 
Thanks,
 
Justin



__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: CFMAIL Attachment prob...

[Yager, Brian T Contractor/NCCIM]

Have you verified that the file is getting uploaded?


Brian Yager
President - North AL Cold Fusion Users Group
Sr. Systems Analyst
NCCIM/CIC
[EMAIL PROTECTED]
(256) 842-8342


-Original Message-
From: Yves Arsenault [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:10 PM
To: CF-Talk
Subject: CFMAIL Attachment prob...


This is a sample of code:

cfdirectory action=LIST
directory=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\
name=mydir

cfmail from=#email_from# to=#email_to# bcc=#email_bcc#
cc=#email_cc# subject=#email_sujet# server=smtp.mergitech.com
cfmailparam name=Reply-To value=Administrateur
[EMAIL PROTECTED]
Thank you for trying

From:#email_from#
To:#email_to#
Cc:#email_cc#
Bcc:#email_bcc#
Date:#DateFormat(email_dateSent,dd/mm/)#
Subject: #email_sujet#

Body:
#email_body#


cfmailparam
file=C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\#mydir.name#
/cfmail

I've been getting this message:
Unable to attach file.
Cannot attach 'C:\Inetpub\htdocs\infotech\encorepromo\admin\attach\.' to the
mail message.
 The file does not exist.
The error occurred while processing an element with a general identifier of
(CFMAIL), occupying document position (8:1) to (8:130).

The path in the CFMAILPARAM tag is supposed to be the actual address on the
server.
At least that's what I was told this afternoon by one of the techs.

Any Ideas?

Also, can I use something like ExpandPath(//attach/#whatever#) in a
CFMAILPARAM tag?

Thanks alot all,
I work in a school with alot of kids around..my brain is turning to
fudge from all the noise!!
Yves Arsenault
Carrefour Infotech
5,promenade Acadian
Charlottetown, IPE
C1C 1M2
[EMAIL PROTECTED]
(902)368-1895 ext.242
ICQ #117650823




__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: RE: Preventing SQL injection attacks...?

[Rick Walters]

This code would fail my own code review.  I don't allow any url. or
form. variables inside CFQUERY statements.  This, however, might
pass.

!--- Validate ID ---
cfif #isdefined(id)# is true
cfset theId=#val(htmleditformat(REreplacenocase(id,
[*,;^:?|\],  , ALL )))#
cfelse
cfset theId=0
/cfif

!--- update time of last visit for this user ---
cfquery name=queryit datasource=#dsn#
  update people
  set updated = '#dateformat(now(), MM/DD/)#'
  where peopleid = cfqueryparam value=#theid#
cfsqltype=cf_sql_integer
/cfquery

(Note:  I am not using CFQueryParam here as a validation tool.  I
already know the variable is an integer.  This query is from a header
and will fire every page load so I want successive queries to run from
cache on the Database server.)



Good Fortune,
Richard Walters,
Webmaster, Davita Laboratory Services
[EMAIL PROTECTED]
(800) 604-5227 x 3525

 [EMAIL PROTECTED] 04/12/02 01:44PM 
cfqueryparam does in fact prevent that code from running.  
cfqueryparam creates a prepared statement with parameters.  It then 
compares what you've entered as a value with the datatype you've 
specified and, if successful, binds the parameters with what you've 
entered.  So, if you entered:

select * from table where id = cfqueryparam value=#url.id# 
cfsqltype=CF_SQL_DECIMAL

and then in your url entered: id=12;drop table yourtable

It would through you an error.

As well, if you had:

select * from table where id = cfqueryparam value=#url.id# 
cfsqltype=CF_SQL_VARCHAR

It would create the equivalent SQL statement of:

select * from table where id = '12;drop table yourtable'

- Original Message -
From: [EMAIL PROTECTED] 
Date: Friday, April 12, 2002 11:00 am
Subject: RE: Preventing SQL injection attacks...?

 let's say you have a text field that is 100 characters long. you 
 can still
 get a drop table tablename appended to the sql statement or 
 write an
 entire sql statment. Cfqueryparam was meant to speed up cfquery, 
 not be to a
 cure all.
 
 Anthony Petruzzi
 Webmaster
 954-321-4703
 [EMAIL PROTECTED] 
 http://www.sheriff.org 
 
 
 -Original Message-
 From: Zac Spitzer [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, April 12, 2002 1:06 PM
 To: CF-Talk
 Subject: Re: Preventing SQL injection attacks...?
 
 
 [EMAIL PROTECTED] wrote:
 
 you can't forget that form fields also play a part in this. after 
 readingthe informaiton provided in jeff's link, it did shine a 
 light. although i
 have been taught from the beginning to always use val() around 
 numbericvalues (thank Adam) and to use regex to validate text 
 input (props
 Raymond).
 if your anal and take the time to make sure that the information
that
 people
 are passing you is in the extact fomrat you want, you shouldn't 
 have a
 problem. also, don't rely on javascript, i always do server-side 
 validationeven after client side, just to make certain. i even go 
 as far as putting
 as
 much validation as i can into my stored procedures and triggers. 
 althoughSQL server doesn't support regular expressions , which 
 sucks! anyone know a
 way it could?
 
 why not just use cfqueryparam, it validates and it makes your sql 
 code 
 run faster???
 
 
 

__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Rick Walters]

If you're trying to perserve the quotes so that SQL will recognize them
and end or begin a string, then you use perservesinglequotes().  If you
are trying to escape a single quote but keep it in your database, then
you need to use htmleditformat().

Good Fortune,
Richard Walters,
Webmaster, Davita Laboratory Services
[EMAIL PROTECTED]
(800) 604-5227 x 3525

 [EMAIL PROTECTED] 04/12/02 02:54PM 
  What is the full query?
  I really think that Preserve Single Quotes is supposed to handle 
this.   I know you said that it wasn't working, but do you get the same

error if you do this:

,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#'


At 01:59 PM 4/12/2002 -0400, you wrote:
This is the offending line:
,SIZE = '#FORM.EDITTABLE.SIZE[i]#'


and the cfoutput of that line:

,SIZE = 'Teacher's Solo'



Here is the error:

ODBC Error Code = 37000 (Syntax error or access violation)


[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive'
where id = 1'.


If I remove the line where Teacher's Solo occurs then it works great.

- Matt Small



-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 1:37 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

   What error are you getting?  What database are you using?  Have
you
tried
outputting the data after you submit it to see what you are getting?


At 01:38 PM 4/12/2002 -0400, you wrote:
  From the CF4.5 Language Reference -
  PreserveSingleQuotes -
  Prevents ColdFusion from automatically escaping
single
 quotes  contained in variable.
 
 What is going on is I have a CFGRID that I have to manually update
 because it throws an error if I use CFGRIDUPDATE.  My own code
which
 does the update and insert works perfect except when it encounters
the
 string Teacher's.   For some reason that I don't know, the single
 quote does not get escaped when I pull it from the variable
 FORM.EDITTABLE.SIZE[i].  I can't figure out what to do.  I want the
 single quote to be escaped so that it will insert into the database
 without error.  I've already tried the function
 #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't
work
 for me.  Anybody got any ideas what's going on?
 
 Thanks,
 
 - Matt Small
 
 
 
 -Original Message-
 From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, April 12, 2002 12:49 PM
 To: CF-Talk
 Subject: RE: Crosspost: Escaping single quotes
 
I am either confused about the functionality you want, or the
 functionality PreserveSingleQuotes provides.
 
PreserveSingleQuotes preserves single quotes for database inserts
by
 automatically escaping them.  It needs a variable as the value, not
a
 string.  I'm assuming you already have Teacher's Group in a
variable?
 
 cfoutput
   cfset temp = Teacher's Group
   #PreserveSingleQuotes(temp)#
 /cfoutput
 
You could probably try to do something more using replace:
 
#Replace(Teacher's Group, ', '', all)#
 
will return:
 Teacher''s Group
 
 
 At 11:55 AM 4/12/2002 -0400, you wrote:
  No, that preserves single quotes.  I want to escape single
quotes.
  
  Thanks,
  Matt Small
  
  -Original Message-
  From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
  Sent: Friday, April 12, 2002 11:32 AM
  To: CF-Talk
  Subject: Re: Crosspost: Escaping single quotes
  
 Isn't there a function (PreserveSingleQuotes) that does this?
  
  At 11:38 AM 4/12/2002 -0400, you wrote:
   Hi everybody,
I'm having a problem with an update to a table - the
problem
  is
   when I want to update or insert the string Teacher's Group. 
CF
  throws
   an error at me when I try this.  I know that CF usually escapes
the
   single quote, but it's not in this case.  I know I saw a post
with
on
   this list or CFDJList about there being a bug with escaping
single
   quotes
   in CF4.5.  Anybody know how can I make CF escape the single
quote
for
   insertion into my table?  Thanks
   
   Matt Small
   
   
   
   
   
  
  
 
 



__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Matthew R. Small]

Well, Jeffrey, I hadn't actually tried the function so I figured I might
as well give it a shot. It didn't work.  


Just in time compilation error

Invalid parser construct found on line 48 at position 55. ColdFusion was
looking at the following text:

[
Invalid expression format. The usual cause is an error in the expression
structure.

This is line 48

,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#'


Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 2:54 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

  What is the full query?
  I really think that Preserve Single Quotes is supposed to handle 
this.   I know you said that it wasn't working, but do you get the same 
error if you do this:

,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#'


At 01:59 PM 4/12/2002 -0400, you wrote:
This is the offending line:
,SIZE = '#FORM.EDITTABLE.SIZE[i]#'


and the cfoutput of that line:

,SIZE = 'Teacher's Solo'



Here is the error:

ODBC Error Code = 37000 (Syntax error or access violation)


[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive'
where id = 1'.


If I remove the line where Teacher's Solo occurs then it works great.

- Matt Small



-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:37 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

   What error are you getting?  What database are you using?  Have you
tried
outputting the data after you submit it to see what you are getting?


At 01:38 PM 4/12/2002 -0400, you wrote:
  From the CF4.5 Language Reference -
  PreserveSingleQuotes -
  Prevents ColdFusion from automatically escaping
single
 quotes  contained in variable.
 
 What is going on is I have a CFGRID that I have to manually update
 because it throws an error if I use CFGRIDUPDATE.  My own code which
 does the update and insert works perfect except when it encounters
the
 string Teacher's.   For some reason that I don't know, the single
 quote does not get escaped when I pull it from the variable
 FORM.EDITTABLE.SIZE[i].  I can't figure out what to do.  I want the
 single quote to be escaped so that it will insert into the database
 without error.  I've already tried the function
 #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't
work
 for me.  Anybody got any ideas what's going on?
 
 Thanks,
 
 - Matt Small
 
 
 
 -Original Message-
 From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 12:49 PM
 To: CF-Talk
 Subject: RE: Crosspost: Escaping single quotes
 
I am either confused about the functionality you want, or the
 functionality PreserveSingleQuotes provides.
 
PreserveSingleQuotes preserves single quotes for database inserts
by
 automatically escaping them.  It needs a variable as the value, not a
 string.  I'm assuming you already have Teacher's Group in a
variable?
 
 cfoutput
   cfset temp = Teacher's Group
   #PreserveSingleQuotes(temp)#
 /cfoutput
 
You could probably try to do something more using replace:
 
#Replace(Teacher's Group, ', '', all)#
 
will return:
 Teacher''s Group
 
 
 At 11:55 AM 4/12/2002 -0400, you wrote:
  No, that preserves single quotes.  I want to escape single quotes.
  
  Thanks,
  Matt Small
  
  -Original Message-
  From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 12, 2002 11:32 AM
  To: CF-Talk
  Subject: Re: Crosspost: Escaping single quotes
  
 Isn't there a function (PreserveSingleQuotes) that does this?
  
  At 11:38 AM 4/12/2002 -0400, you wrote:
   Hi everybody,
I'm having a problem with an update to a table - the
problem
  is
   when I want to update or insert the string Teacher's Group.  CF
  throws
   an error at me when I try this.  I know that CF usually escapes
the
   single quote, but it's not in this case.  I know I saw a post
with
on
   this list or CFDJList about there being a bug with escaping
single
   quotes
   in CF4.5.  Anybody know how can I make CF escape the single quote
for
   insertion into my table?  Thanks
   
   Matt Small
   
   
   
   
   
  
  
 
 



__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Quicky

[Russel Madere]

cfset Field1 = Right(Field1, 12)

=
Russel Madere
Senior Software Engineer
Turbo Squid, Inc.
http://www.turbosquid.com

Is your head tag nested within your body tag?

 -Original Message-
 From: Janine Jakim [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 2:15 PM
 To: CF-Talk
 Subject: Quicky


 I know the answer is easy, but it's late on Friday and it's been a long
 week...
 Ok I need to set a variable with CFSET- (not in a query) to be the last 12
 characters of another field.
 ie:
 I want
 FIELD1:  12345678901234567890
 to be set as:
 FIELD2:  901234567890
 Thanks in advance.
 j
 
__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: RE: RE: Preventing SQL injection attacks...?

[ksuh]

No, it won't.

It'll produce the SQL equivalent of:

select * from mytable where username = 'tony ''drop table tablename --'

- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:46 am
Subject: RE: RE: Preventing SQL injection attacks...?

 still. if i had the value
 
 tony ' drop table tablename--
 
 and a cfqueryparam with a type of CF_SQL_VARCHAR
 
 it would still pass in the value as such
 
 select * from mytable where username = 'tony ' drop table 
 tablename--'
 
 which would cause the table to be dropped.
 
 
 Anthony Petruzzi
 Webmaster
 954-321-4703
 [EMAIL PROTECTED]
 http://www.sheriff.org
 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:45 PM
 To: CF-Talk
 Subject: Re: RE: Preventing SQL injection attacks...?
 
 
 cfqueryparam does in fact prevent that code from running.  
 cfqueryparam creates a prepared statement with parameters.  It 
 then 
 compares what you've entered as a value with the datatype you've 
 specified and, if successful, binds the parameters with what 
 you've 
 entered.  So, if you entered:
 
 select * from table where id = cfqueryparam value=#url.id# 
 cfsqltype=CF_SQL_DECIMAL
 
 and then in your url entered: id=12;drop table yourtable
 
 It would through you an error.
 
 As well, if you had:
 
 select * from table where id = cfqueryparam value=#url.id# 
 cfsqltype=CF_SQL_VARCHAR
 
 It would create the equivalent SQL statement of:
 
 select * from table where id = '12;drop table yourtable'
 
 - Original Message -
 From: [EMAIL PROTECTED]
 Date: Friday, April 12, 2002 11:00 am
 Subject: RE: Preventing SQL injection attacks...?
 
  let's say you have a text field that is 100 characters long. you 
  can still
  get a drop table tablename appended to the sql statement or 
  write an
  entire sql statment. Cfqueryparam was meant to speed up cfquery, 
  not be to a
  cure all.
  
  Anthony Petruzzi
  Webmaster
  954-321-4703
  [EMAIL PROTECTED]
  http://www.sheriff.org
  
  
  -Original Message-
  From: Zac Spitzer [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 12, 2002 1:06 PM
  To: CF-Talk
  Subject: Re: Preventing SQL injection attacks...?
  
  
  [EMAIL PROTECTED] wrote:
  
  you can't forget that form fields also play a part in this. 
 after 
  readingthe informaiton provided in jeff's link, it did shine a 
  light. although i
  have been taught from the beginning to always use val() around 
  numbericvalues (thank Adam) and to use regex to validate text 
  input (props
  Raymond).
  if your anal and take the time to make sure that the 
 information that
  people
  are passing you is in the extact fomrat you want, you shouldn't 
  have a
  problem. also, don't rely on javascript, i always do server-
 side 
  validationeven after client side, just to make certain. i even 
 go 
  as far as putting
  as
  much validation as i can into my stored procedures and 
 triggers. 
  althoughSQL server doesn't support regular expressions , which 
  sucks! anyone know a
  way it could?
  
  why not just use cfqueryparam, it validates and it makes your 
 sql 
  code 
  run faster???
  
  
  
 
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Quicky

[Paul Giesenhagen]

cfset variable = #Right(field1, 12)#

That will get the rightmost characters (9 of them) from your field.

Paul Giesenhagen
QuillDesign
http://www.quilldesign.com
SiteDirector v2.0 - Commerce Builder



 I know the answer is easy, but it's late on Friday and it's been a long
 week...
 Ok I need to set a variable with CFSET- (not in a query) to be the last 12
 characters of another field.
 ie:
 I want
 FIELD1:  12345678901234567890
 to be set as:
 FIELD2:  901234567890
 Thanks in advance.
 j
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Quicky

[Paul Giesenhagen]

Whooo sorry ... (I should have said 12, someone said 9 as I was typing)...

Paul Giesenhagen
QuillDesign
http://www.quilldesign.com
SiteDirector v2.0 - Commerce Builder



 cfset variable = #Right(field1, 12)#

 That will get the rightmost characters (9 of them) from your field.

 Paul Giesenhagen
 QuillDesign
 http://www.quilldesign.com
 SiteDirector v2.0 - Commerce Builder



  I know the answer is easy, but it's late on Friday and it's been a long
  week...
  Ok I need to set a variable with CFSET- (not in a query) to be the last
12
  characters of another field.
  ie:
  I want
  FIELD1:  12345678901234567890
  to be set as:
  FIELD2:  901234567890
  Thanks in advance.
  j
 
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Quicky

[Raymond Camden]

The other poster had it right, but just to be anal, bare in mind yo dont
need either the quotes or pounds below. Simply use:

right(field1,12)

not

#right(field1,12)#

Yes, I'm being anal. ;)

===
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email: [EMAIL PROTECTED]
Yahoo IM : morpheus

My ally is the Force, and a powerful ally it is. - Yoda 

 -Original Message-
 From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, April 12, 2002 3:27 PM
 To: CF-Talk
 Subject: Re: Quicky
 
 
 cfset variable = #Right(field1, 12)#
 
 That will get the rightmost characters (9 of them) from your field.
 
 Paul Giesenhagen
 QuillDesign
 http://www.quilldesign.com
 SiteDirector v2.0 - Commerce Builder
 
 
 
  I know the answer is easy, but it's late on Friday and it's 
 been a long
  week...
  Ok I need to set a variable with CFSET- (not in a query) to 
 be the last 12
  characters of another field.
  ie:
  I want
  FIELD1:  12345678901234567890
  to be set as:
  FIELD2:  901234567890
  Thanks in advance.
  j
  
 
__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Quicky

[Douglas Brown]

Anal is good!!! Just think what our code would look like if we were not full of
analisms



Success is a journey, not a destination!!



Doug Brown
- Original Message -
From: Raymond Camden [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 12:30 PM
Subject: RE: Quicky


 The other poster had it right, but just to be anal, bare in mind yo dont
 need either the quotes or pounds below. Simply use:

 right(field1,12)

 not

 #right(field1,12)#

 Yes, I'm being anal. ;)

 ===
 Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

 Email: [EMAIL PROTECTED]
 Yahoo IM : morpheus

 My ally is the Force, and a powerful ally it is. - Yoda

  -Original Message-
  From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 12, 2002 3:27 PM
  To: CF-Talk
  Subject: Re: Quicky
 
 
  cfset variable = #Right(field1, 12)#
 
  That will get the rightmost characters (9 of them) from your field.
 
  Paul Giesenhagen
  QuillDesign
  http://www.quilldesign.com
  SiteDirector v2.0 - Commerce Builder
 
 
 
   I know the answer is easy, but it's late on Friday and it's
  been a long
   week...
   Ok I need to set a variable with CFSET- (not in a query) to
  be the last 12
   characters of another field.
   ie:
   I want
   FIELD1:  12345678901234567890
   to be set as:
   FIELD2:  901234567890
   Thanks in advance.
   j
  
 
 
__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Jeffry Houser]

  Well, that isn't a database error, at least.  It seems to be spitting up 
on the '[' character.  It is a fairly complicated variable structure (Is it 
structures of structures or just variable names with dots in them? )

  Maybe you need to play around with pound signs?

   '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[#i#])#'

  I'm stuck and without database / code to attempt to debug against, I 
don't think there is much other help I could offer.
  Did you try HTMLEditFormat as someone else had suggested?

At 03:27 PM 4/12/2002 -0400, you wrote:
Well, Jeffrey, I hadn't actually tried the function so I figured I might
as well give it a shot. It didn't work.


Just in time compilation error

Invalid parser construct found on line 48 at position 55. ColdFusion was
looking at the following text:

[
Invalid expression format. The usual cause is an error in the expression
structure.

This is line 48

,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#'


Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 2:54 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

   What is the full query?
   I really think that Preserve Single Quotes is supposed to handle
this.   I know you said that it wasn't working, but do you get the same
error if you do this:

,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#'


At 01:59 PM 4/12/2002 -0400, you wrote:
 This is the offending line:
 ,SIZE = '#FORM.EDITTABLE.SIZE[i]#'
 
 
 and the cfoutput of that line:
 
 ,SIZE = 'Teacher's Solo'
 
 
 
 Here is the error:
 
 ODBC Error Code = 37000 (Syntax error or access violation)
 
 
 [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
 operator) in query expression ''Teacher's Solo' ,TYPE = 'Competitive'
 where id = 1'.
 
 
 If I remove the line where Teacher's Solo occurs then it works great.
 
 - Matt Small
 
 
 
 -Original Message-
 From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:37 PM
 To: CF-Talk
 Subject: RE: Crosspost: Escaping single quotes
 
What error are you getting?  What database are you using?  Have you
 tried
 outputting the data after you submit it to see what you are getting?
 
 
 At 01:38 PM 4/12/2002 -0400, you wrote:
   From the CF4.5 Language Reference -
   PreserveSingleQuotes -
   Prevents ColdFusion from automatically escaping
 single
  quotes  contained in variable.
  
  What is going on is I have a CFGRID that I have to manually update
  because it throws an error if I use CFGRIDUPDATE.  My own code which
  does the update and insert works perfect except when it encounters
the
  string Teacher's.   For some reason that I don't know, the single
  quote does not get escaped when I pull it from the variable
  FORM.EDITTABLE.SIZE[i].  I can't figure out what to do.  I want the
  single quote to be escaped so that it will insert into the database
  without error.  I've already tried the function
  #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it doesn't
work
  for me.  Anybody got any ideas what's going on?
  
  Thanks,
  
  - Matt Small
  
  
  
  -Original Message-
  From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 12, 2002 12:49 PM
  To: CF-Talk
  Subject: RE: Crosspost: Escaping single quotes
  
 I am either confused about the functionality you want, or the
  functionality PreserveSingleQuotes provides.
  
 PreserveSingleQuotes preserves single quotes for database inserts
by
  automatically escaping them.  It needs a variable as the value, not a
  string.  I'm assuming you already have Teacher's Group in a
variable?
  
  cfoutput
cfset temp = Teacher's Group
#PreserveSingleQuotes(temp)#
  /cfoutput
  
 You could probably try to do something more using replace:
  
 #Replace(Teacher's Group, ', '', all)#
  
 will return:
  Teacher''s Group
  
  
  At 11:55 AM 4/12/2002 -0400, you wrote:
   No, that preserves single quotes.  I want to escape single quotes.
   
   Thanks,
   Matt Small
   
   -Original Message-
   From: Jeffry Houser [mailto:[EMAIL PROTECTED]]
   Sent: Friday, April 12, 2002 11:32 AM
   To: CF-Talk
   Subject: Re: Crosspost: Escaping single quotes
   
  Isn't there a function (PreserveSingleQuotes) that does this?
   
   At 11:38 AM 4/12/2002 -0400, you wrote:
Hi everybody,
 I'm having a problem with an update to a table - the
 problem
   is
when I want to update or insert the string Teacher's Group.  CF
   throws
an error at me when I try this.  I know that CF usually escapes
the
single quote, but it's not in this case.  I know I saw a post
with
 on
this list or CFDJList about there being a bug with escaping
single
quotes
in CF4.5.  Anybody know how can I make CF escape the single quote
 for
insertion into my table?  Thanks

Matt Small





   
   
  
  
 
 

RE: RE: Deadlock

[Haggerty, Michael A.]

I have fought these particular beasts before... Uggh!

Contrary to popular opinion, I would guess this is a coding problem and that
you are using a CFTRANSACTION that calls upon multiple tables? What is
happening is two different transactions are locking tables and getting stuck
waiting for the other transaction to release the one's its got locked up. 

A diagram to illustrate the point: 

TRANS_1: 
 - SELECT FROM tbl_a
 - SELECT FROM tbl_b

TRANS_2: 
 - SELECT FROM tbl_b
 - SELECT FROM tbl_a

When two users fire the transactions at the same time, the result is the
error you are experiencing.

This is just a guess, tho... the solution is to take a closer look at those
transactions.

M


-Original Message-
From: Craig Thomas [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 2:21 PM
To: CF-Talk
Subject: RE: RE: Deadlock


are you using cftransaction tags?


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 1:50 PM
To: CF-Talk
Subject: Re: RE: Deadlock


This is not a CF error.  This is a SQL Server error.  What are you
doing in your SQL that would cause such deadlocks?

- Original Message -
From: Semrau, Steven L Mr RDAISA/SRA
[EMAIL PROTECTED]
Date: Friday, April 12, 2002 11:39 am
Subject: RE: Deadlock

 Read up on CFLOCK  it talks about Deadlocks and the possible
 reasons why.

 -Original Message-
 From: Justin Waldrip [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 1:10 PM
 To: CF-Talk
 Subject: Deadlock


 Your transaction (process ID #39) was deadlocked with another process
 and has been chosen as the deadlock victim. Rerun your transaction.

 I am receiving quite a few of these errors in a row. Where is a good
 place to start looking for things that might cause this?

 Thanks,

 Justin






__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Quicky

[Janine Jakim]

Thanks all- I knew it was super easy- I had stuck in rtrim instead of right-
my bleary eyes didn't catch it- 

-Original Message-
From: Raymond Camden [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 3:30 PM
To: CF-Talk
Subject: RE: Quicky


The other poster had it right, but just to be anal, bare in mind yo dont
need either the quotes or pounds below. Simply use:

right(field1,12)

not

#right(field1,12)#

Yes, I'm being anal. ;)

===
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email: [EMAIL PROTECTED]
Yahoo IM : morpheus

My ally is the Force, and a powerful ally it is. - Yoda 

 -Original Message-
 From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, April 12, 2002 3:27 PM
 To: CF-Talk
 Subject: Re: Quicky
 
 
 cfset variable = #Right(field1, 12)#
 
 That will get the rightmost characters (9 of them) from your field.
 
 Paul Giesenhagen
 QuillDesign
 http://www.quilldesign.com
 SiteDirector v2.0 - Commerce Builder
 
 
 
  I know the answer is easy, but it's late on Friday and it's 
 been a long
  week...
  Ok I need to set a variable with CFSET- (not in a query) to 
 be the last 12
  characters of another field.
  ie:
  I want
  FIELD1:  12345678901234567890
  to be set as:
  FIELD2:  901234567890
  Thanks in advance.
  j
  
 

__
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Rick Walters]

Rats.. that won't work.. so much for code humor.

Good Fortune,
Richard Walters,
Webmaster, Davita Laboratory Services
[EMAIL PROTECTED]
(800) 604-5227 x 3525

 [EMAIL PROTECTED] 04/12/02 03:53PM 
cfset theVariable = #evaluate(chr(39)  Smith's shorts  chr(39))#

cfquery name=queryit datasource=#dsn#
 update items
 set itemname =
#preservesinglequotes(htmleditformat(theVariable))#
/cfquery

How's that for an explanation?  It must be Friday!



Good Fortune,
Richard Walters,
Webmaster, Davita Laboratory Services
[EMAIL PROTECTED] 
(800) 604-5227 x 3525

 [EMAIL PROTECTED] 04/12/02 03:36PM 
  Well, that isn't a database error, at least.  It seems to be
spitting
up 
on the '[' character.  It is a fairly complicated variable structure
(Is it 
structures of structures or just variable names with dots in them? )

  Maybe you need to play around with pound signs?

   '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[#i#])#'

  I'm stuck and without database / code to attempt to debug against, I

don't think there is much other help I could offer.
  Did you try HTMLEditFormat as someone else had suggested?

At 03:27 PM 4/12/2002 -0400, you wrote:
Well, Jeffrey, I hadn't actually tried the function so I figured I
might
as well give it a shot. It didn't work.


Just in time compilation error

Invalid parser construct found on line 48 at position 55. ColdFusion
was
looking at the following text:

[
Invalid expression format. The usual cause is an error in the
expression
structure.

This is line 48

,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#'


Thanks,
Matt Small

-Original Message-
From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 2:54 PM
To: CF-Talk
Subject: RE: Crosspost: Escaping single quotes

   What is the full query?
   I really think that Preserve Single Quotes is supposed to handle
this.   I know you said that it wasn't working, but do you get the
same
error if you do this:

,SIZE = '#PreserveSingleQuotes(FORM.EDITTABLE.SIZE[i])#'


At 01:59 PM 4/12/2002 -0400, you wrote:
 This is the offending line:
 ,SIZE = '#FORM.EDITTABLE.SIZE[i]#'
 
 
 and the cfoutput of that line:
 
 ,SIZE = 'Teacher's Solo'
 
 
 
 Here is the error:
 
 ODBC Error Code = 37000 (Syntax error or access violation)
 
 
 [Microsoft][ODBC Microsoft Access Driver] Syntax error (missing
 operator) in query expression ''Teacher's Solo' ,TYPE =
'Competitive'
 where id = 1'.
 
 
 If I remove the line where Teacher's Solo occurs then it works
great.
 
 - Matt Small
 
 
 
 -Original Message-
 From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, April 12, 2002 1:37 PM
 To: CF-Talk
 Subject: RE: Crosspost: Escaping single quotes
 
What error are you getting?  What database are you using?  Have
you
 tried
 outputting the data after you submit it to see what you are
getting?
 
 
 At 01:38 PM 4/12/2002 -0400, you wrote:
   From the CF4.5 Language Reference -
   PreserveSingleQuotes -
   Prevents ColdFusion from automatically
escaping
 single
  quotes  contained in variable.
  
  What is going on is I have a CFGRID that I have to manually
update
  because it throws an error if I use CFGRIDUPDATE.  My own code
which
  does the update and insert works perfect except when it
encounters
the
  string Teacher's.   For some reason that I don't know, the
single
  quote does not get escaped when I pull it from the variable
  FORM.EDITTABLE.SIZE[i].  I can't figure out what to do.  I want
the
  single quote to be escaped so that it will insert into the
database
  without error.  I've already tried the function
  #Replace(FORM.EDITTABLE.SIZE[i], ', '', all)# but it
doesn't
work
  for me.  Anybody got any ideas what's going on?
  
  Thanks,
  
  - Matt Small
  
  
  
  -Original Message-
  From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
  Sent: Friday, April 12, 2002 12:49 PM
  To: CF-Talk
  Subject: RE: Crosspost: Escaping single quotes
  
 I am either confused about the functionality you want, or the
  functionality PreserveSingleQuotes provides.
  
 PreserveSingleQuotes preserves single quotes for database
inserts
by
  automatically escaping them.  It needs a variable as the value,
not a
  string.  I'm assuming you already have Teacher's Group in a
variable?
  
  cfoutput
cfset temp = Teacher's Group
#PreserveSingleQuotes(temp)#
  /cfoutput
  
 You could probably try to do something more using replace:
  
 #Replace(Teacher's Group, ', '', all)#
  
 will return:
  Teacher''s Group
  
  
  At 11:55 AM 4/12/2002 -0400, you wrote:
   No, that preserves single quotes.  I want to escape single
quotes.
   
   Thanks,
   Matt Small
   
   -Original Message-
   From: Jeffry Houser [mailto:[EMAIL PROTECTED]] 
   Sent: Friday, April 12, 2002 11:32 AM
   To: CF-Talk
   Subject: Re: Crosspost: Escaping single quotes
   
  Isn't there a function (PreserveSingleQuotes) that does
this?
   
   At 11:38 AM 

RE: Quicky

[Mark A. Kruger - CFG]

I think there are the seeds to a book in there somewhere:

Cold Fusion for Anal people?

Perhaps a full line of for anal people books - why not, people admit they
are dummies and idiots at Borders every day g.

-Original Message-
From: Douglas Brown [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 12, 2002 2:40 PM
To: CF-Talk
Subject: Re: Quicky


Anal is good!!! Just think what our code would look like if we were not full
of
analisms



Success is a journey, not a destination!!



Doug Brown
- Original Message -
From: Raymond Camden [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 12:30 PM
Subject: RE: Quicky


 The other poster had it right, but just to be anal, bare in mind yo dont
 need either the quotes or pounds below. Simply use:

 right(field1,12)

 not

 #right(field1,12)#

 Yes, I'm being anal. ;)

 ===
 Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

 Email: [EMAIL PROTECTED]
 Yahoo IM : morpheus

 My ally is the Force, and a powerful ally it is. - Yoda

  -Original Message-
  From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 12, 2002 3:27 PM
  To: CF-Talk
  Subject: Re: Quicky
 
 
  cfset variable = #Right(field1, 12)#
 
  That will get the rightmost characters (9 of them) from your field.
 
  Paul Giesenhagen
  QuillDesign
  http://www.quilldesign.com
  SiteDirector v2.0 - Commerce Builder
 
 
 
   I know the answer is easy, but it's late on Friday and it's
  been a long
   week...
   Ok I need to set a variable with CFSET- (not in a query) to
  be the last 12
   characters of another field.
   ie:
   I want
   FIELD1:  12345678901234567890
   to be set as:
   FIELD2:  901234567890
   Thanks in advance.
   j
  
 


__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Crosspost: Escaping single quotes

[Jeffry Houser]

At 04:08 PM 4/12/2002 -0400, you wrote:
Well, actually, I'm okay because I just decided to kill that line of
code altogether.  I just realized that it's not essential to have that
field editable and so everything works without it.

  ;)


I'm sorry that I got you thinking so hard about it.  I still don't know
what the right thing to do is but I won't worry about it anymore.

  Nothing wrong with a little intellectual stimulation between betas.



--
Jeffry Houser | mailto:[EMAIL PROTECTED]
Need a Web Developer?  Contact me!
AIM: Reboog711  | Fax / Phone: 860-223-7946
--
My Books: http://www.instantcoldfusion.com
My Band: http://www.farcryfly.com 

__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

DSN-Less DB Connection

[Anthony DeStefano]

Does anyone know the syntax to connect to an Access DB without a DSN?

Also, are there any pros/cons to using DSN-Less connections. I have done it
in ASP without any noticable performance issues, but I am not sure about how
ColdFusion deals with it.

Many Thanks,
Tony

Anthony DeStefano
Programmer/Analyst
Telect, Inc.
(509) 893-4375
[EMAIL PROTECTED]

__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: RE: RE: RE: Preventing SQL injection attacks...?

[ksuh]

I myself use SP's whenever possible (there are times when this isn't 
possible).  However, it's beneficial to correctly outline what 
cfqueryparam does, for those people on the list that should be using 
cfqueryparam.

- Original Message -
From: [EMAIL PROTECTED]
Date: Friday, April 12, 2002 2:03 pm
Subject: RE: RE: RE: Preventing SQL injection attacks...?

 i will have to take your word for it since i have probably never 
 use cfquery
 param, nor intend to. i personally always use stored procedures 
 and i do all
 of my validation myself. if cfqueryparam works for you, then use 
 it and god
 bless. i have been taught differently and personally i don't think 
 i would
 trust it.
 
 Anthony Petruzzi
 Webmaster
 954-321-4703
 [EMAIL PROTECTED]
 http://www.sheriff.org
 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 3:24 PM
 To: CF-Talk
 Subject: Re: RE: RE: Preventing SQL injection attacks...?
 
 
 No, it won't.
 
 It'll produce the SQL equivalent of:
 
 select * from mytable where username = 'tony ''drop table 
 tablename --'
 
 - Original Message -
 From: [EMAIL PROTECTED]
 Date: Friday, April 12, 2002 11:46 am
 Subject: RE: RE: Preventing SQL injection attacks...?
 
  still. if i had the value
  
  tony ' drop table tablename--
  
  and a cfqueryparam with a type of CF_SQL_VARCHAR
  
  it would still pass in the value as such
  
  select * from mytable where username = 'tony ' drop table 
  tablename--'
  
  which would cause the table to be dropped.
  
  
  Anthony Petruzzi
  Webmaster
  954-321-4703
  [EMAIL PROTECTED]
  http://www.sheriff.org
  
  
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 12, 2002 1:45 PM
  To: CF-Talk
  Subject: Re: RE: Preventing SQL injection attacks...?
  
  
  cfqueryparam does in fact prevent that code from running.  
  cfqueryparam creates a prepared statement with parameters.  It 
  then 
  compares what you've entered as a value with the datatype you've 
  specified and, if successful, binds the parameters with what 
  you've 
  entered.  So, if you entered:
  
  select * from table where id = cfqueryparam value=#url.id# 
  cfsqltype=CF_SQL_DECIMAL
  
  and then in your url entered: id=12;drop table yourtable
  
  It would through you an error.
  
  As well, if you had:
  
  select * from table where id = cfqueryparam value=#url.id# 
  cfsqltype=CF_SQL_VARCHAR
  
  It would create the equivalent SQL statement of:
  
  select * from table where id = '12;drop table yourtable'
  
  - Original Message -
  From: [EMAIL PROTECTED]
  Date: Friday, April 12, 2002 11:00 am
  Subject: RE: Preventing SQL injection attacks...?
  
   let's say you have a text field that is 100 characters long. 
 you 
   can still
   get a drop table tablename appended to the sql statement or 
   write an
   entire sql statment. Cfqueryparam was meant to speed up 
 cfquery, 
   not be to a
   cure all.
   
   Anthony Petruzzi
   Webmaster
   954-321-4703
   [EMAIL PROTECTED]
   http://www.sheriff.org
   
   
   -Original Message-
   From: Zac Spitzer [mailto:[EMAIL PROTECTED]]
   Sent: Friday, April 12, 2002 1:06 PM
   To: CF-Talk
   Subject: Re: Preventing SQL injection attacks...?
   
   
   [EMAIL PROTECTED] wrote:
   
   you can't forget that form fields also play a part in this. 
  after 
   readingthe informaiton provided in jeff's link, it did shine 
 a 
   light. although i
   have been taught from the beginning to always use val() 
 around 
   numbericvalues (thank Adam) and to use regex to validate text 
   input (props
   Raymond).
   if your anal and take the time to make sure that the 
  information that
   people
   are passing you is in the extact fomrat you want, you 
 shouldn't 
   have a
   problem. also, don't rely on javascript, i always do server-
  side 
   validationeven after client side, just to make certain. i 
 even 
  go 
   as far as putting
   as
   much validation as i can into my stored procedures and 
  triggers. 
   althoughSQL server doesn't support regular expressions , 
 which 
   sucks! anyone know a
   way it could?
   
   why not just use cfqueryparam, it validates and it makes your 
  sql 
   code 
   run faster???
   
   
   
  
  
 
 
__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: DSN-Less DB Connection

[Bruce Sorge]

First, you will want to create a connection string like so:
cfset DBPATH=ExpandPath(../../Database)
cfset DBFile=Baby.mdb
cfset Driver={Microsoft Access Driver (*.mdb)}
cfset ConStr=DRIVER=#Driver#;DBQ=#DBFile#;DefaultDir=#DBPATH#;UID=Admin;PWD=;

You then want to set up your CFQUERY like so:
cfquery dbtype=dynamic connectstring=#ConStr# name=qAuthenticate
Query goes here
/cfquery

-- Original Message --
From: Anthony DeStefano [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 12 Apr 2002 13:17:51 -0700

Does anyone know the syntax to connect to an Access DB without a DSN?

Also, are there any pros/cons to using DSN-Less connections. I have done it
in ASP without any noticable performance issues, but I am not sure about how
ColdFusion deals with it.

Many Thanks,
Tony

Anthony DeStefano
Programmer/Analyst
Telect, Inc.
(509) 893-4375
[EMAIL PROTECTED]


__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Quicky

[Raymond Camden]

Sounds like a good idea. I'll take care of the Evaluate chapter. ;)

Of course, at the same time, I can't stand people who change code from
cfif x is y to compare because supposedly compare is .001 ms faster.
;)

===
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email: [EMAIL PROTECTED]
Yahoo IM : morpheus

My ally is the Force, and a powerful ally it is. - Yoda 

 -Original Message-
 From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] 
 Sent: Friday, April 12, 2002 4:05 PM
 To: CF-Talk
 Subject: RE: Quicky
 
 
 I think there are the seeds to a book in there somewhere:
 
 Cold Fusion for Anal people?
 
 Perhaps a full line of for anal people books - why not, 
 people admit they
 are dummies and idiots at Borders every day g.

__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: DSN-Less DB Connection

[BillyC]

I found that a good way to cheat when building the connection string is
to set up a file datasource (using the ODBC Control Panel applet) then
concatenate each line with a semi-colon delimiter (of course,  you'll
need to change any lines to match the server environment where the data
is stored)

---
Billy Cravens


-Original Message-
From: Bruce Sorge [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 3:34 PM
To: CF-Talk
Subject: Re: DSN-Less DB Connection

First, you will want to create a connection string like so:
cfset DBPATH=ExpandPath(../../Database)
cfset DBFile=Baby.mdb
cfset Driver={Microsoft Access Driver (*.mdb)}
cfset
ConStr=DRIVER=#Driver#;DBQ=#DBFile#;DefaultDir=#DBPATH#;UID=Admin;PWD=;


You then want to set up your CFQUERY like so:
cfquery dbtype=dynamic connectstring=#ConStr# name=qAuthenticate
Query goes here
/cfquery

-- Original Message --
From: Anthony DeStefano [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 12 Apr 2002 13:17:51 -0700

Does anyone know the syntax to connect to an Access DB without a DSN?

Also, are there any pros/cons to using DSN-Less connections. I have done
it
in ASP without any noticable performance issues, but I am not sure about
how
ColdFusion deals with it.

Many Thanks,
Tony

Anthony DeStefano
Programmer/Analyst
Telect, Inc.
(509) 893-4375
[EMAIL PROTECTED]



__
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: DSN-Less DB Connection

[BillyC]

Just to clarify, you set up the file DSN locally - then modify the
string you build to match the file path on your production environment
(using functions like #expandPath()# to reduce hard-coding of course)

---
Billy Cravens


-Original Message-
From: Cravens, Billy 
Sent: Friday, April 12, 2002 3:31 PM
To: CF-Talk
Subject: RE: DSN-Less DB Connection

I found that a good way to cheat when building the connection string is
to set up a file datasource (using the ODBC Control Panel applet) then
concatenate each line with a semi-colon delimiter (of course,  you'll
need to change any lines to match the server environment where the data
is stored)

---
Billy Cravens


-Original Message-
From: Bruce Sorge [mailto:[EMAIL PROTECTED]] 
Sent: Friday, April 12, 2002 3:34 PM
To: CF-Talk
Subject: Re: DSN-Less DB Connection

First, you will want to create a connection string like so:
cfset DBPATH=ExpandPath(../../Database)
cfset DBFile=Baby.mdb
cfset Driver={Microsoft Access Driver (*.mdb)}
cfset
ConStr=DRIVER=#Driver#;DBQ=#DBFile#;DefaultDir=#DBPATH#;UID=Admin;PWD=;


You then want to set up your CFQUERY like so:
cfquery dbtype=dynamic connectstring=#ConStr# name=qAuthenticate
Query goes here
/cfquery

-- Original Message --
From: Anthony DeStefano [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 12 Apr 2002 13:17:51 -0700

Does anyone know the syntax to connect to an Access DB without a DSN?

Also, are there any pros/cons to using DSN-Less connections. I have done
it
in ASP without any noticable performance issues, but I am not sure about
how
ColdFusion deals with it.

Many Thanks,
Tony

Anthony DeStefano
Programmer/Analyst
Telect, Inc.
(509) 893-4375
[EMAIL PROTECTED]




__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Quicky

[Don Vawter]

Hmmh   anal and bare (as in naked) mind. What kind of list is this anyway?
;)




- Original Message -
From: Raymond Camden [EMAIL PROTECTED]
To: CF-Talk [EMAIL PROTECTED]
Sent: Friday, April 12, 2002 1:30 PM
Subject: RE: Quicky


 The other poster had it right, but just to be anal, bare in mind yo dont
 need either the quotes or pounds below. Simply use:

 right(field1,12)

 not

 #right(field1,12)#

 Yes, I'm being anal. ;)

 ===
 Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

 Email: [EMAIL PROTECTED]
 Yahoo IM : morpheus

 My ally is the Force, and a powerful ally it is. - Yoda

  -Original Message-
  From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]]
  Sent: Friday, April 12, 2002 3:27 PM
  To: CF-Talk
  Subject: Re: Quicky
 
 
  cfset variable = #Right(field1, 12)#
 
  That will get the rightmost characters (9 of them) from your field.
 
  Paul Giesenhagen
  QuillDesign
  http://www.quilldesign.com
  SiteDirector v2.0 - Commerce Builder
 
 
 
   I know the answer is easy, but it's late on Friday and it's
  been a long
   week...
   Ok I need to set a variable with CFSET- (not in a query) to
  be the last 12
   characters of another field.
   ie:
   I want
   FIELD1:  12345678901234567890
   to be set as:
   FIELD2:  901234567890
   Thanks in advance.
   j
  
 
 
__
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Help needed - More client variable weirdness

[Shawn Grover]

Looking for ideas here, cuz I'm fresh out.

Using a SQL Server 2000 database to store the client variables. On my
computer, I can log into our web app, and see NEW record/CFID for me. When I
log out - which is meant to clear/remove the client variables, my record is
deleted - as it should be.

On a different workstation, as a different user we see different behaviour
(only this one workstation).  When logging out, the client variables are
zeroed/set to defaults - whereas the record should be deleted.  When the
user logs in again, they get the same CFID/CFToken, and this record is
reused.

In Application.CFM, I convert the CFID and CFToken cookies to be memory
based cookies.  So, if all browsers are closed, and the user then opens a
new browser and tries to login, they should get a different CFID/CFToken.

The workstation in question has IE 5.5, with the latest security patchs.  We
have tried deleting the cookie for our domain as well, with the same
results.

This is getting annoying because the developer will do work, get something
functional on his box, and mark it as done.  Yet when another of us tries to
use the code, it fails - and we've tracked it down to a client variable
issue.

Any suggestions?  Thanks in advance.

Shawn Grover

__
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Quicky

[David Schmidt]

It's one that degrades as the week goes by, I think...  And it IS Friday!


 -Original Message-
 From: Don Vawter [mailto:[EMAIL PROTECTED]]
 Sent: Friday, April 12, 2002 2:02 PM
 To: CF-Talk
 Subject: Re: Quicky


 Hmmh   anal and bare (as in naked) mind. What kind of list is
 this anyway?
 ;)




 - Original Message -
 From: Raymond Camden [EMAIL PROTECTED]
 To: CF-Talk [EMAIL PROTECTED]
 Sent: Friday, April 12, 2002 1:30 PM
 Subject: RE: Quicky


  The other poster had it right, but just to be anal, bare in mind yo dont
  need either the quotes or pounds below. Simply use:
 
  right(field1,12)
 
  not
 
  #right(field1,12)#
 
  Yes, I'm being anal. ;)
 
  ===
  Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
 
  Email: [EMAIL PROTECTED]
  Yahoo IM : morpheus
 
  My ally is the Force, and a powerful ally it is. - Yoda
 
   -Original Message-
   From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]]
   Sent: Friday, April 12, 2002 3:27 PM
   To: CF-Talk
   Subject: Re: Quicky
  
  
   cfset variable = #Right(field1, 12)#
  
   That will get the rightmost characters (9 of them) from your field.
  
   Paul Giesenhagen
   QuillDesign
   http://www.quilldesign.com
   SiteDirector v2.0 - Commerce Builder
  
  
  
I know the answer is easy, but it's late on Friday and it's
   been a long
week...
Ok I need to set a variable with CFSET- (not in a query) to
   be the last 12
characters of another field.
ie:
I want
FIELD1:  12345678901234567890
to be set as:
FIELD2:  901234567890
Thanks in advance.
j
   
  
 
 
__
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists