Jeez, and value=URL.TryToHackThis should be value=#URL.TryToHackThis#
so you see that CFQP is not that easy to use ;-))
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
Closing the apostrophe is exactly how SQL injection occurs with text
field
Ok, you got it!
BUT CFQUERY will escape that apostophe anyway, so that the SQL injection
will
just be part of the string stored in the field either you use CFQP or not.
--
___
REUSE
Not if you use MySQL. That DBMS allows for an alternative way to escape
those with a backslash.
Ok, then lets say that CFQP should alway be used with MySQl...
.. and you haven't turned off MySQL's default ways of escaping those
ticks
... IF you have not turn off MySQL's default ways of
When your database executes a SQL statement, it generates an
execution plan
that best fits that statement and it caches that plan in memory for later
use.
Ok, this is another example where CFQP is useful, as the doc says.
But if the query is not likely to be executed often, which is the case
If you don't really care
I don't really care measuring the difference it makes, because it must
certainly be marginal,
and it is not because I don't care the difference it can made that I cannot
make a comment about it.
--
___
REUSE CODE! Use custom tags;
it's safe to say that avoiding * is a good idea,
Now that's the kind of statement I prefer: a good idea,
better than *always* or *never* :-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any
The code below did not work as you would
think it should
Actually, it works with Mozilla and Opera, but not with IE nor Safari.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
If several people on this list are seeing this attack, it must be pretty
widespread.
Until now, I just check for strings http or user in url.id
containing something else than an integer value.
I now just added DECLARE in the validation.
All my templates expecting id=some numeric
start with
For what it's worth, the specific URL that was injected in the sample I
saw
(http://1.verynx.cn/w.js) doesn't seem to work anymore. The server name
doesn't resolve.
===
Yeah, that suck, I was going to dissect it.
It is broken now, but this morning I was able to see the code.
That's fine, until the attack pattern contains something else, like
Unicode
sequences.
Not from the same address though, because it is banned now.
And the purpose of my code is not to replace CFQUERYPARAM.
It is to add an extra feature that will not only protect the database,
but ALSO
the
What other ways are there? I know of two: EXEC and EXECUTE
http (http injection) and user (SQL injection) are classics.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address:
.and all hackers ALWAYS use the same IPcause they'd never get
caught that way...hehe
yes...that was meant to be sarcastic
It does not look sarcastic to me, just may be a little retarded ;-)
I see where you're coming from Claude, I just think (as Dave appears to)
that you're wasting
This appears to be a botnet-driven attack. Blocking addresses may be
problematic in that case.
Why do you all want to interpret this as a final solution?
Blocking an IP will NOT block ANY attack, it will just stop the current
attack from THIS address, period.
But it is safer than letting the
and no...not retardedjust tactless
Your vocabulary is definitely richer than mine, may be less efficient,
but richer ;-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
Bottom line: ***always*** use cfqueryparam. Period. There are no
acceptable exceptions to the rule.
Even with something like
UPDATE myTable SET myDate = cfqueryparam value = #now()# CFSQLType
= CF_SQL_TIMESTAMP?
OR this:
UPDATE myTable SET myValue = cfqueryparam value =
I too was concerned about your solution being
put forward in a security context...because it's not.
Yes it is. It serves two purposes:
1. check if the value is correct, and 2 detect an attack if ithe value
is not correct.
But if the value is not correct (a positive integer), the query is not
For those of you who are actually trying to learn and become better
programmers/developers,
I used to be a teacher myself, and I never agreed with this way of
teaching beginners
to do things mechanically without thinking about the reasons and the
pros and cons.
If you teach beginners to act
Looks like you're having a list of lists now.
One solution is to use some different delimiter for the elements in one
of the lists.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
You can try this.
http://www.debugbar.com/
Hi, are you using it yourself?
I tried it, there are a lot of interesting options, however two main flaws:
1º the error message is still the same stupidity:
- it does not give the true file name the error occurs,
- it gives the line number, but
Actually I have it installed but I rarely use IE except for cross browser
css issues.
I see. In my case, most my Javascript is used in my CMS used by
administrators,
and none of them use FF, so developing for IE is a must.
--
___
REUSE CODE! Use custom
Did you try CompanionJS? I think it is just what you need.
Ah ha! Now this looks better ;-)
Thanks.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Companion.JS that works with it was helpful in my case - not perfect
but helpful. (Better than nothing, certianly.)
I tried it, but unfortunately it requires the MS debugger, and for some
reason,
I've never been able to get this piece od ?%$! to work under IE6.
All I get is a new window with
You might want to take a look at IE7 stand alone.
I will sure do.
Thanks.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
Maybe wrap it in
something like !- [BEGIN TEXT TO GRAB] -- This is the text you want
indexed !-- [END TEXT TO GRAB] --
Pretty good idea! And the use CF_REExtract to grab it ;-)
--
___
REUSE CODE! Use custom tags;
See
I know that you could probably sort a field by first assigning a
collation such as the following
Really not trivial.
For some languages, a collation is not enough.
I may be wrong, but I think I've learned that in Spanish for instance,
the double l or ch are not considered as a two letters but
Littrell
Liu
Liénard
This is a good example.
Liénard comes at the end, because apparently the sort uses the ASCII
collating sequence in which é comes after all other non accented characters.
A solution would be to have two columns for names, like
Name key
-
Liénard
I think Lienard (how do you bring up the symbol on a QWENTY keyboard) is
after Liu because that e comes after the 26 English alphabet letters.
It come at the end in the ISO character set, but alphabetic sort should
not use the ASCII code
Thus the problem.
--
I have not had a chance to work with international characters in the
DB, so
this sounds really interesting.
I'm sending it by private eMail, I'm affraid that posting it here will
make the message too large.
It works works for strings in ISO, and may be used for databases in ISO,
not UTF-8
--
Any clues on how to trace javascript errors in IE?
Error messages in IE are simply retarded.
The error could be in any file, and it does not even give the file name.
Furthermore, the line number is always one unit higher.
Then your error must be in one of the included files, at line 347.
--
Hi,
Anyone here has an application using Paypal?
I'm new to this so I don't know if the problem is with me or with Paypal:
I'm testing payments through the sandbox IPN server.
Last Friday, it worked fine, bit since this morning, I do not receive
any notify_url
call back on my server.
Apparently
Is there any practical way to use ONE Application.CFM file in ONE place
for all of these sites?
For all my sites, I have a virtual directory on the same common directory.
Then for all sites, /common/... refers to the same directory on the server.
In particular, all my Application.cfm start with:
for grins, try this:
cfset sendEmail = #getproducts.Email[1]#
or even simpler: cfset sendEmail = getproducts.Email[1]
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
Note that
1º according to the docs, GetTickCount() returns a string
representation of the system time,
not the time spent on the CF code.
The CF server is running in a time shared environment, so the system
time is not really representative
of the execution time.
2º There is a huge difference
When I import the cfwindow libraries via cfajaximport, my simple
javascript menus will flicker in Internet Explorer and sometimes close
themselves.
This is the trouble with such libraries: they include all what you
need,... but also 99% of what you don't need.
Look all what you have:
script
Have you tried submitting the form with
the same values? Same browser/OS?
I haver noticed that Opera has a check box in the alert: Stop executing
scripts in this page.
This is at least one possibility.
--
___
REUSE CODE! Use custom tags;
See
cfquery automatically escapes single ticks
It does, but only if a single variable is passed in the query, not if it
is a more complex expression,
and apparently not even if it is a column in a query.
Try this :
CFSET temp = getRecord_qry.memo
INSERT INTO TableName_tb
(memo)
VALUES
('#temp#')
Hi,
Is there any problem with the list?
I'm recieving very few messages, and I do not see two new topics I sent
yesterday and this morning.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam
Is there any problem with the list?
Apparently, I can answer, but not send new messages.
Ok, let me answer to myself on this one ;-)
I have form with a Javascript validating system.
After hundreds of successful submits of the form, I recently got one
form submitted with two mandatory date
Why not do the checks in the form statement with an 'onSubmit='?
Well, good question. The main reason is that all forms in the system are
independant and may have their own onSubmit.
But they must all have this checkInput () procedure.
The submit button, on the other hand is in a common
A bot?
No way, the form was filled by a real person, all the rest of the
information in the field make sense,
including the mail address of the submitter. It is a membership
registration form in an association.
It is possible to spoof anything in an HTTP request to your server.
Of course,
Hi,
I have form with a Javascript validating system.
After hundreds of successful submits of the form, I recently got one
form submitted with two mandatory date fields empty.
If a visitor has Javascript disabled, he cannot even see the form, then
I suppose it is not the issue.
The Javascript
Hi,
I have form with a Javascript validating system.
After hundreds of successful submits of the form, I recently got one
form submitted with two mandatory date fields empty.
If a visitor has Javascript disabled, he cannot even see the form, then
I suppose it is not the issue.
The Javascript
Your TO address is announcing itself as CF-Talk House of Fusion. It's
technically correct but my code is a little too sensitive. Let me see what I
can do to make it a little less sensitive.
This is what I suspected. I will remove the superfluous name in the
address then.
Thanks.
--
How do I indicate a comma in a replace list so I can replace the comma?
replaceList is not the right tool for this, and since you are replacing
all characters by the same one,
what you need is REReplace. ie : REReplace (MyString,
[##%/\\*?|:$.'@,], _, all)
Example:
CFSET myString =
..dat is a generic extension for ANY data. It could have been generated
by ANY application
in ANY format.
If you see funky chars, it is probably because they are not chars, but
binary data.
NotePad won't give you much information about binary data.
Search the web to see if you can download from
after playing with regex for 2 hours.
Not bad. The average is at leat 6 hours ;-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
Does that sound like an idea, or can somebody think of a better way to
do this?
Tell them you must enter their earnings in the table so you can sort the
list
in order of work they do, may be they will forget about their request ;-))
Not joking, I would'n take the responsibility of such a
Comparing a hash of
each file would surely reduce the amount of text CF had to throw around
especially if you are performing several tests with the same set of
files.
Apparently yes, but calculating the hash certainly takes more time than
comparing two strings,
and it needs to go through the
I'd be tempted to split the work buy doing a simple check at the start
on file sizes.
Well, obviously.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
IMHO, independant permissions for viewing, adding, editing, deleting
elements
may be going too much into details and obviously adding to the complexity.
Having only one permission for each type of element should be enough.
- any one can view elements on the public site anyway, so no permission
That would prevent copying and printing.
That would not prevent anything.
Never forget this basic principle :
The more someone is really able to reuse your images, the more skills
he will have to copy it.
Corollary: Any image protection scheme will only protect against those
who wouldn't know
Note 3:
You must have a pretty good reason not making a loop, because a loop
would be much more efficient than using ReplaceList().
A loop could be stopped as soon as an element in the list is found.
ReplaceList() will also have a loop internally, but this one will run
till the end.
--
Without looping (I'd like one cfif conditional), is there any way to
determine if any element from badtitlekeywords is contained within
title?
Yes there is, use ReplaceList(), ie:
CFIF ReplaceList(title, badtitlekeywords, , , ) NEQ
badtitlekeywords... then...
If one element of
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
~|
Adobe® ColdFusion® 8
Just because it has, does it mean it is not a bug?
No, it doesn't.
But in this case, it is just the way Allaire has defined it:
look at all list functions, the parameter is delimiters, not delimiter,
and the description says Set of delimiters used in list, not string
used as delimiter
The
One has to remember that this function is now nearly 12 years since
it was
introduced this way. Does it still make it the right decision by Allaire?
No it doesn't, but it is definitely not a bug. One could see it as a
flaw in design, at a pinch,
but not a bug.
A bug is when something does not
What's the best approach for that?
Have each task schedule the next one at the end of its precess.
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
Yes, the client needs Flash installed, but with AJAX you have
to worry that the client has JavaScript enabled (and with that,
browser compatibility questions).
There is a big difference between installed and enabled.
If he doesn't want to install a third party plug-in, he is perfectly
Claude do you have any idea of the settings needed?
On that particular case, no.
I do not use FCKEditor, having my own system.
I was just seing some similarity with an issue I worked on a couple of
months ago.
I this case, the problem was with special effect filters inactive
because of some
However, as far as browser compatibility. I think FCKEditor has some
room for improvement.
With IE, there are so many options the user can deactivate that it is
not easy for the Javascript developer.
There are for instance several security checks that locks ActiveX, even
internal activeX
So image name conflict won't be a problem.
I see, then checking in the query is your solution.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
I would create a regExp for each character, in a structure ie:
RE['i'] = [i89okju]
RE['b] = [bvghn]
RE['m] = [jk,n]
replace every character by it's equivalent regexp
ibm = [i89okju][bvghn][jk,n]
And search using this expression
But you should also take care of inversions, probably even more
Becuase
See what I mean about inversion typos ;-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
I figured that some uber-cf-wiz here
would know some java or undocumented trick that could determine the
surrounding keys
This will almost certainly take more time to find than typing them once
for all on the keyboard.
--
___
REUSE CODE! Use custom tags;
I don't remember ever running a query like this one, so I'm
not sure it's even a valid approach.
My approach is to rename every file using CreateUUID
Functions53.html#1102827() function.
to make sure there is no duplicate problem.
--
___
REUSE CODE! Use
Can you be a little more explicit about how you do that, Claude?
I've never used CreateUUID before.
I rename the file when it is uploaded. Ie:
CFSET fileName = #CreateUUID()#.temp
CFIF fileUpload NEQ
!--- File received ---
CFFILE ACTION=Upload
FILEFIELD=#fileUpload#
So how do I modify the query, which now looks like this...
This is it, a unique index will detect the error, but it will not solve it.
Checking if the file already exists will not solve the problem either.
So better make sure the file name is unique first and eliminate the
possibility of a
I don't want to rename the files and include them,
I want to avoid adding the files to the directory completely.
I see, but what if two users want to enter two different images having
the same file name?
--
___
REUSE CODE! Use custom tags;
See
Or if you are cheap like me there is always cfx_image. ;)
CFX_image has been the best for a long time, but it is really missing
image quality in resizing.
ImageCR3 is definitely the best.
--
___
REUSE CODE! Use custom tags;
See
I still recommend ImageCR3 from Efflare
But why pay for a commercial product when there are free solutions? ;-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL
yes, i'm making a point.
. and I subscribe to it 100%. It was just some kind of inside joke
especially intended to Bobby ;-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
I'd need someting like
IF create_d between 3 months ago and now
Then
INSERT(title,0,0,'span
style=font-style:bold;color:#00;NEW/span') AS new_title
Check if you can use the IIf function in your database, ie:
SELECT IIF (create_d 3 months ago, 'span
How do I take a word like, apple and loop through each letter?
Try this:
CFSET word = apple
CFLOOP INDEX=c FROM=1 TO=#len(word)#
CFSET currentChar = mid(word,c,1)
CFOUTPUTcurrentChar = #currentChar#BR/CFOUTPUT
/CFLOOP
--
___
REUSE CODE! Use custom tags;
find how many lines in it with ListLen() and then a
ListGetAt() to get the last line.
or simply use listLast().
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address:
Well, traditionally, hexadecimal values were written in upper case,
so IMHO, CF is right.
If other applications expects hash values in lower case, it is your
responsibility to deal
with this particularity.
~|
Adobe® ColdFusion®
How can i trim this variable
Try this: listLast (field, _)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
How can i skip insertion of the button since i am using the
form.fieldnames
Add a test for the submit name in your loop, ans skip the query if the
test succeeds.
--
___
REUSE CODE! Use custom tags;
See
Use the Compare() function, ie:
CFSET oldcompany = '033'
CFSET newcompany = '0033'
CFOUTPUT#(oldcompany EQ newcompany)#BR
#(Compare(oldcompany, newcompany) EQ 0)#
/CFOUTPUT
--
___
REUSE CODE! Use custom tags;
See
Opps hit the wrong list
Looks like your computer is due for an upgrade ;-)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
Would this work?
Like this no, but this should work:
select sap.photo_filename as prop_photo_filename_01,
sap.photo_filename as prop_photo_filename_02,
sap.photo_filename as prop_photo_filename_03
from smlc_acr_photos sap
where sap.photo_mls_number = sa.mls_number limit 3
--
Well... i have a javascript validation script that can take a regex
pattern to check against.
Are you named Web Exp for Web Expert?
Regexp are good at checking strings, not integer values.
Your javascript validation script that can take a regex is just not
the good tool.
You would need just a
below is the link to the website that contains the data I require.
Ok, you definitely need CF_REextract:
http://www.contentbox.com/claude/customtags/REextract/testREextract.cfm
You can even test it on your page here:
http://www.contentbox.com/claude/customtags/REextract/testingREextract.cfm
1.
The
frequency of the occurrences, and the constantly changing URL and client IP,
suggests a bot.
Exact, and also the fact that the user agent is always the same:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;
..NET CLR 1.1.4322)
The fact that the IP address changes,
To pass the username and password to this page, but I had no luck.
First I would check the CFHTTP content to see if the login was succesful.
Then the site must have some scheme to keep track of the session.
Look if it stores a cookie in your browser, and try to support it in
your CFHTTP call.
I don't want to re-write my pages, I just want the submit to not
refresh the page and return the results on the same page as the search form.
I've done something similar without Ajax.
There are two main problems if you do it in Ajax:
1º robots like Google do not see the sub pages your site
Can you see this page ok?
Looks OK to me with IE 6.
Opera 9.27
Safari 3.03
Firefox 2.0.0
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
My comment did have value. It is a fact that it is a waste of time to
report a bug on an out of date platform,
Especially when the bug is classified RTFM ;-)
Why didn't someone call me?
That's the destiny of falling stars ;-)
--
___
REUSE CODE! Use custom
Unfortunately multi-tab form is parallel (I believe) while my case is
sequential processing
There is no sequential processing of multiple forms possible in HTML.
You can have several forms in a page, but only one can submit.
Tab forms is a solution to temporarily hide parts of a form, but only
Are you an expert in, say, DOM?
Yes.
To my knowledge, each and all web/script page, be it written in
cf, jsp, asp, php, would be rendered by a UA (browser here), and the
underlying technology for that is DOM, so, it does not matter how many
HTML forms on a 'page'/script the web server
My key point was, to re-use cfform's built-in client data validation
capability for my case if that's possible,
Well, if you use CFFORM, it should be possible for sure, or do you mean
you want to use CFFORM validation WITHOUT using CFFORM?
for instance, do you build you own credit card
* User clicks forgot my password link
* They enter their user name and e-mail address
What if he forgot his user name?
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address:
But make sure to send it to the email on record
That was my point. Just ask for the email he used to register, and send
him his code and password, period.
have the user who gets that email click a link which authorizes the
change of password.
What for? If anyone gets the message
this is what i have so far.
A probably better idea, if you can modify the table, would be to have
two fields in the table, ie:
- objectiveNo
- parentObjective
Then your list 1.0, 1.1, 1.2, 1.3, 2.0, 2.1, 2.2, 2.3, would be
represented by
objectiveNoparentObjective
0
Hi,
Your approach looks weid to me
Why do you need the first query to get the serial number to be used in
the second
query if you already know the serial number?
Any way, shouldn't be at least something like
where serialnumber = '#serialnumber#'
in the first query?
Are serial numbers text
However you do it, I'd look at a Java StringBuilder or StringBuffer,
because
any string manipulation with CF over that many lines is going to blow up
with a Java out of memory exception since every concatenation or string
function call creates another string in memory.
I would rather write a
if the title in the DB
is Blade Runner (DVD) and someone searches for Blade Runner then
IMO, the soundex algorithm is not appropriate in this case.
Soundex extract a key which essentially depends on the first syllable of
the string.
It has been develop mostly for names, not for any kind of
As far as I can tell it would work perfectly for this...
Not if you want to get dvd blade runner or Harrison Ford blade
runner in the same query.
Anyway, you can test soudex here for instance:
http://www.jewishgen.org/jos/jossound.htm
--
___
REUSE CODE! Use
Does anyone have any suggestions?
Sure: find some discussion forum about Firefox.
Here in CF_talk, we talk about ColdFusion.
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this
How would I select falls_bridge
left(string, len(string) - len(listLast(string), _) - 1)
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
So, if they only enter 2007 and nothing else, 01/01/2007 is getting
recorded
Well, this will be fine when looking for events = 06/30/2007 for instance,
since 0/0/2007 stands for any date in 2007.
but what if looking for events = 06/302007?
01/01/2007 won't come out and it should, since it could
301 - 400 of 2701 matches
Mail list logo