You need to verify that the search terms you are providing for that column are
numeric. The cfqueryparam does that but returns an error when it finds a
problem. It's up to you to make sure that you are providing the proper type
for the columns you are querying. In this case if the search
Not sure.. we don't handle much of the system software/hardware on the box. Do
you know what that may affect or how to check when it was updated?
Has anyone updated the java version by any chance
Russ Michaels
www.michaels.me.uk
On 9 Jul 2013 23:11, Chris Johnson
Do any other CF requests work on that server?
Sounds like a web connector issue perhaps.
Byron Mann
Lead Engineer Architect
HostMySite.com
On Jul 9, 2013 6:11 PM, Chris Johnson ejohn...@directalliance.com wrote:
Really odd issue we've been having.. We have a scheduled task that hits
you should ask whoever manages the server, as updating to new java versions
can have bizzare results like this where everything seems to work except
one random thing.
you can also see the java version being used on the info page in cfadmin.
you should also try rebuilding your conenctors, as they
Has anyone updated the java version by any chance
Russ Michaels
www.michaels.me.uk
On 9 Jul 2013 23:11, Chris Johnson ejohn...@directalliance.com wrote:
Really odd issue we've been having.. We have a scheduled task that hits
another database server to get a full list of employees. It then
A related question: I have a table of towns that has ~20,000 records. The
dataset I need has the record ID, town name, a memo field (usually empty), and
fields holding an index into other tables (township, county, state, country).
In my form I have a select field to pick the town. I don't want
list of towns is not really a huge query, just do it once and cache and
then do a query of query for your auto complete.
On Mon, Jan 7, 2013 at 2:06 PM, Stephens, Larry V steph...@iu.edu wrote:
A related question: I have a table of towns that has ~20,000 records. The
dataset I need has the
Very slick. Thanks guys!
--Ben
On 1/5/2013 3:39 PM, =?ISO-8859-1?Q?Claude_Schn=E9egans wrote:
2. Only query the primary keys, and then loop over that list grabbing x
records at a time and doing a new query to get all rows for those keys.
This is a pretty good method.
I tested it on a
Another method, assuming you're using MS SQL Server (not sure how far
this goes back compatibility-wise) is to toss in the criteria for the
full search, but then to only pull back X rows:
WITH Results_Full AS (
SELECT Field1, Field2, Field3, ROW_NUMBER()
OVER (ORDER BY
On Sat, Jan 5, 2013 at 8:25 AM, Russ Michaels r...@michaels.me.uk wrote:
2 simple solutions are.
1. Dont query all the data at all, instead provide a search form to get at
specific records, which is usually much simpler thsn paging through
hundreds or thousands of records.
2. Only query
That's what I suspected. Much appreciated.
--Ben
On 1/4/2013 6:40 AM, Dave Watts wrote:
A question came up recently with one of my client developers who is
potentially
returning a large # of rows from a query. The question was whether the
result
set is stored in memory or spooled to
Actually there are ways to step through a result set using database
functions so that you do bot store huge resultsets in memory, if you google
it then you will find some examples.
2 simple solutions are.
1. Dont query all the data at all, instead provide a search form to get at
specific
2. Only query the primary keys, and then loop over that list grabbing x
records at a time and doing a new query to get all rows for those keys.
This is a pretty good method.
I tested it on a database containing about 45 records with a seach template.
I give a very loose criterion on
Glad it helped. Also dont forget u.can cache the original primary key query
too.
Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Jan 5, 2013 10:39 PM, wrote:
2. Only query the primary keys, and then
A question came up recently with one of my client developers who is
potentially
returning a large # of rows from a query. The question was whether the result
set is stored in memory or spooled to disk somewhere. I didn't know but
assumed
it was memory resident.
Anyone know the answer
if its just a few records then use query of query to get your subset of
results and then insert the results into database B
if this is a regular occurrence and happens often then then you may want to
look at creating a DTS script on your SQL server and scheduling that to do
the job.
On Sat,
.
-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk]
Sent: Sunday, March 11, 2012 1:48 PM
To: cf-talk
Subject: Re: CFQuery to Database
if its just a few records then use query of query to get your subset of results
and then insert the results into database B
WHERE EXPIRATIONDATE = cfqueryPARAM value = #mydatetime # CFSQLType =
'CF_SQL_VARCHAR'
Sent from my Samsung Galaxy SII
On Mar 4, 2012 7:54 AM, Barry Mcconaghey bmcconag...@gmail.com wrote:
Hello.
I'm trying to get this cfquery to match a database field
EXPIRATIONDATE(date) 2012-3-04 and do
CFSQLType ='CF_SQL_VARCHAR'
Also for date columns use a date/time type instead of varchar. If the column
contains dates (only) you can use cf_sql_date, which truncates the time portion.
WHERE EXPIRATIONDATE = cfqueryparam value = #now()#
CFSQLType
Start here and let us know if you have any trouble:
http://www.cfscreencast.com/2007/12/6/retrieving-data-from-mysql-using-cfquery/
http://www.coldfusion-ria.com/Blog/index.cfm/2009/12/14/ExtJS-30-Editor-Grid-with-ColdFusion
(I
didn't see an ExtJS 4 example on Google. Perhaps 3 will work for
Thanks for your assistance
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
Yes, and if this is form input, you should be using cfqueryparam anyway.
Please see the news for Sony's latest data hack, which was simple web-based
SQL injection. cfsqltype will need to match column datatype in each case.
cfquery datasource=#DSN# name=GetResults
SELECT Formation, Play,
What DBMS are you using? MSSQL, MYSQL, Access (bleeackk!), other?
MSSQL uses single quotes in the WHERE clause. However, if you use
cfqueryparam for all of your where clause pieces, single quotes in your
strings should pass through in the database request just fine.
What is the data type of
Mark, there is an excellent SQL tutorial here: http://www.w3schools.com/sql/
If you figure out exactly how joins work, it will make writing SQL so
much easier for you.
Sub-selects like Greg used are also very useful.
A few hours spent on this site will save you hours of struggle later.
On
SELECT DISTINCT table3.ID, table3.Company
FROM table3 INNER JOIN
table2 ON table3.ID = table2.t2_ID INNER JOIN
table1 ON table2.ordernumber = table1.ordernumber
WHERE (table1.productcode LIKE '%a certain string%')
On Thu, May 26, 2011 at
If they all return 1 row use this..
select * from table3 t3
where t3.ID = (
select t2.ID
from table2 t2
where t2.productcode = (
select t1.productcode
from table1 t1
where t1.ordernumber = [whatever]
)
)
If they
it to produce the same results, which I will
do.
Thanks again,
Mark
-Original Message-
From: Greg Morphis [mailto:gmorp...@gmail.com]
Sent: Thursday, May 26, 2011 11:48 AM
To: cf-talk
Subject: Re: cfquery select question
If they all return 1 row use this..
select * from table3 t3
where t3.ID
I checked and it's turned off. This is happening from multiple computers
with Firefox.
Any other thoughts?
-Original Message-
From: Matt Quackenbush
Sent: Tuesday, April 19, 2011 12:20 AM
To: cf-talk
Subject: Re: CFQUERY update Firefox wierdness
Wild guess: Firebug is turned
On 19/04/2011 8:46 PM, Dan Blickensderfer wrote:
I checked and it's turned off. This is happening from multiple computers
with Firefox.
Any other thoughts?
in that case turn it on and look at what the browser is sending...
--
Yours,
Kym Kovan
mbcomms.net.au
not referring to a url
it reloads the same page.
This was driving me crazy.
Dan
-Original Message-
From: Kym Kovan
Sent: Tuesday, April 19, 2011 7:23 AM
To: cf-talk
Subject: Re: CFQUERY update Firefox wierdness
On 19/04/2011 8:46 PM, Dan Blickensderfer wrote:
I checked and it's turned off
Hi
I never seen that.. but the first thing I would look at is to set
up a way to see how many times that action page is run. Perhaps insert a
GetTickCount counter into a log file when the action page is
run.. First look to see how it works in IE, then try firefox.
At 06:55 PM 4/18/2011,
cfquery tag has absolutely nothing to do with any browser - it is
executed by cf on the server side.
i would check your page's html and javascript instead - that's where
browser differences can come into play.
how do you submit your form to add item to cart - ajax or regular form
submit?
how
Wild guess: Firebug is turned on and is adding a second click to the flow.
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
The behavior change might be due to updated drivers, which is the most
common source of modified database behavior. You can probably fix this
either in CF, using something like NumberFormat, or cfqueryparam, or using
casting in SQL Server. If this is a lot of work for you, it might be worth
it to
What is the data type of the field in SQL Server? If you run the query in
Management Studio, what do you see for that value? How are you outputting
the value in CF to see the 0E-8 number? What tag are you using to call the
stored procedure in ColdFusion? Which version of MS SQL Server are you
Thanks for the clarification questions, Mike.
What is the data type of the field in SQL Server?
numeric(10,2)
If you run the query in Management Studio, what do you see for that value?
0.00
How are you outputting the value in CF to see the 0E-8 number?
In a tossed error it was displayed
It occurred to me that I should first ask if this issue is causing any
problems, or if it is only an unexpected way to format a number? For example
0.00 = 0E-8. They are both the same number regardless of how they are
displayed.
For clarification, which number has the unexpected formatting, the
It occurred to me that I should first ask if this issue is causing any
problems, or if it is only an unexpected way to format a number? For example
0.00 = 0E-8. They are both the same number regardless of how they are
displayed.
Unfortunately, it is causing an issue in this particular instance
Why would a SQL cast fix the issue? Casting a numeric(10,2) to a
numeric(10,2) would not solve anything, which means that the value you are
casting to numeric must be of a different data type, likely float or
varchar. Floating point numbers often display in scientific notation. The
numeric value
Thanks Mike.
Opened up the procedure and gave it a look. It looks like there's some
multiplication and division going on, which is resulting in a change. Relevant
part for one of the returned values:
MemberPrice =
(case when qp.productid is null then p.MemberPrice
else
Looks like you might need to revise the procedure to CAST the calculated
value back to Numeric(10,2) before returning it?
Carl
On 2/16/2011 2:30 PM, James Skemp wrote:
Thanks Mike.
Opened up the procedure and gave it a look. It looks like there's some
multiplication and division going on,
Looks like you might need to revise the procedure to CAST the calculated
value back to Numeric(10,2) before returning it?
Carl
Yeah, which is what we're doing for this one to resolve the issue.
But since this is a legacy, third-party, application ... it worries me the
number of places this
But why does it need to be a full Access database? Providing a delimited
file users could import is simpler and more flexible. As it could be
imported into both Excel and Access.
I asked the same question... It's political and we's IT people don't not
know what were talkin bout...
One of the
Thanks! Looks like I am kind of on the right track... I will read up on this
link...
Rick
-Original Message-
From: Mark A. Kruger [mailto:mkru...@cfwebtools.com]
Sent: Wednesday, January 05, 2011 9:23 PM
To: cf-talk
Subject: RE: CFQuery to mdb
You can seed a database with the schema
Rick Eidson wrote:
It's political and we's IT people don't not
know what were talkin bout...
Oh. One of those deals. (How familiar ;-) Well it looks like Mark has you on
the right path.
Mark wrote:
While I agree with you about a CSV file in many cases, Leigh,
sometimes this is useful
just seems like more than I need to do.
I do not think so. It is not like exporting html/excel. An Access database
consists of more than just the data itself (system tables, etcetera). So I am
not sure there is a simpler way. Maybe using ms sql's export tools ..
But why does it need to be a
-
From: Leigh [mailto:cfsearch...@yahoo.com]
Sent: Wednesday, January 05, 2011 7:17 PM
To: cf-talk
Subject: Re: CFQuery to mdb
just seems like more than I need to do.
I do not think so. It is not like exporting html/excel. An Access database
consists of more than just the data itself (system
alternatively could the problem be before the data is put into mysql. basically
we are using an extjs text area to collect data, that passes the data over to a
form which we put straight in the database. should we be doing anything with
that data such as escaping it?
Hi,
i have data
Aside from my trepidations about generating SQL like this because it
prevents you from using cfqueryparam, what you're looking for is
#preserveSingleQuotes()#
coldfusion automatically escapes any single quotes in variables that
are within a cfquery tag so if your query SQL is a variable
cfquery
I'm with Rick. You should really change it up a wee bit so you can use
cfqueryparam. It has many advantages.
On Thu, Sep 16, 2010 at 8:54 AM, Rick Root rick.r...@gmail.com wrote:
Aside from my trepidations about generating SQL like this because it
prevents you from using cfqueryparam, what
yea so don't forget to do your own SQL injection protection as well.
On Thu, Sep 16, 2010 at 1:54 PM, Rick Root rick.r...@gmail.com wrote:
Aside from my trepidations about generating SQL like this because it
prevents you from using cfqueryparam, what you're looking for is
thanks for the replies, although the preserveSingleQuotes doesnt work
hi, we are running a cfquery with the following sql statement:
SELECT viewname, categoryname FROM views LEFT OUTER JOIN
viewcategories on views.categoryid = viewcategories.categoryid GROUP
BY viewname HAVING
On 9/16/2010 6:44 AM, Richard White wrote:
thanks for the replies, although the preserveSingleQuotes doesnt work
You should be looking at the actual SQL that is being sent to the
database. It would be provide clear evidence of what is wrong.
Looking at this line:
cfset havingClause =
Or instead of using a variable, if you can just put the clause in the SQL
statement, let the list param do the work for you:
HAVING categoryname IN ( cfqueryparam cfsqltype=cf_sql_varchar
value=#arrayToList(value)# list=Yes / )
Wrap your actual cfquery with cftry and then cfoutput the variable cfcatch.sql
cftry
cfquery.../cfquery
cfcatch
type=Databasecfoutputpre#cfcatch.sql#/pre/cfoutput/cfcatch
/cftry
Then post that sql here.
Rick
~|
Order the
thanks, although the problem is there is no error to catch. when we run a
cfdump of the query, the sql is as follows:
SELECT viewname, categoryname FROM views LEFT OUTER JOIN viewcategories on
views.categoryid = viewcategories.categoryid GROUP BY viewname HAVING 0 = 0 AND
categoryname IN
If it was MSSQL, you would want single quotes, so more like this:
SELECT viewname, categoryname FROM views LEFT OUTER JOIN viewcategories on
views.categoryid = viewcategories.categoryid GROUP BY viewname HAVING 0 = 0
AND categoryname IN ('''s') ORDER BY viewname ASC LIMIT 0, 300
Instead
thanks for everyones help, its now solved!
the reason i am building it through a string is because it is interacting with
various extjs grids, which apply filters. i have a generic function that
creates the havingclause to filter the data.
i ran the havingclause through a loop printing out 1
Google is your friend:
Search cfquery to json and get:
http://www.coldfusionjedi.com/index.cfm/2007/9/20/Quick-and-Dirty-JSONQuery-Example
On Mon, Jun 7, 2010 at 11:53 AM, Richard White rich...@j7is.co.uk wrote:
hi,
is there a quick and easy way to convert a cfquery into a json array. i
thanks, sorry dont think i was clear enough, i knew about serializejson but
this doesnt work with extjs, in case anyone else stumbles on this post and is
interested i found the following:
http://blog.cutterscrossing.com/index.cfm/CFQueryReader
Google is your friend:
Search cfquery to json
in fact toJson is even better for th job: http://tojson.riaforge.org/
thanks, sorry dont think i was clear enough, i knew about
serializejson but this doesnt work with extjs, in case anyone else
stumbles on this post and is interested i found the following:
toJson is better if you have room for the server-side overhead, and
don't mind writing methods that can't be used in any other scenario than
via Ajax. CFQueryReader is solely a client side solution, so that you
can reuse your server-side code in any way that you see fit.
Steve Cutter Blades
What are you trying to show. If you want a literal put your alert results in
quotes. alert(cfoutput#query2.RecordCount#/cfoutput);
Robert B. Harrison
Director of Interactive Services
Austin Williams
125 Kennedy Drive, Suite 100
Hauppauge NY 11788
P : 631.231.6600 Ext. 119
F : 631.434.7022
Any reason you are doing it this way and not just no javascript and use
cfdump instead?
-Original Message-
From: fun and learning [mailto:funandlrnn...@gmail.com]
Sent: Thursday, 15 April 2010 6:13 AM
To: cf-talk
Subject: cfquery within javascript
hi,
I am trying to do the
Couldn't you just say:
cfif query1.recordcount
[...] cflogic [...]
/cfif
Sebastiaan
=
So long and thanx 4 all the fish
== Onlinebase.nl
-Original Message-
From: fun and learning [mailto:funandlrnn...@gmail.com]
Sent: Thursday, 15 April
Your cfif statement asks for the recordCount to be returned
on if the recordCount is greater than 0.
Try cfif blahName.recordcount GTE 0 and you should
get the recordCount either way.
Rick
-Original Message-
From: Dave Sueltenfuss [mailto:dsueltenf...@gmail.com]
Sent: Wednesday, March
You are correct, the record count for an empty query object does exist (and
should be 0). What exactly is not working? Are you getting an error
message?
On Wed, Mar 31, 2010 at 1:59 PM, Dave Sueltenfuss dsueltenf...@gmail.comwrote:
I'm running into an odd behavior with CFQUERY (at least I
You are correct that it should work, but they maybe something else in the
code which is preventing the query from being executed. On the top of your
page add:
cfparam name= blahName.recordcount default=0
And that will deal with the case where the query is not executed.
Robert B.
Ok, found the cause of the issue, by taking the query into SQL Server
In SQL, the following is being returned
*Warning: Null value is eliminated by an aggregate or other SET operation.
(0 row(s) affected)*
So it appears this is what is throwing off the query results in CF
I am working on
If the query is executing correctly but bringing back no records, this
should work with blahname.recordcount equal zero . If the query is
not executing correctly, blahname.recordcount will not equal zero.
On Wed, Mar 31, 2010 at 10:59 AM, Dave Sueltenfuss
dsueltenf...@gmail.com wrote:
I'm
Hello. Is there a way to return a datatype list from
your query along with the column list? Example:
IIRC, there is no direct method. But you could certainly extract that
information using getMetaData()
cfdump var=#getMetaData(qryTest)#
You can usually get that info from the database's system tables, depending
on your RDBMS. (In the following queries, 'typename' will give you the
datatype.)
MSSQL:
SELECT syscolumns.colid,
syscolumns.name,
syscolumns.colorder AS sortorder,
In CF8 there is cfdbinfo This function below will return a query object the
following fields (see below).
http://www.cfquickdocs.com/cf8/?getDoc=cfdbinfo#cfdbinfo
If you don't have CF 8 you will have to query the metadata based on the SQL
dialect for that particular database. You can look at the
How about installing SeeFusion and enabling one of its rules to kill
threads that run for a certain about of time? If there is a running
query it will kill it.
It may be a hammer where you wanted a scalpel, but it would work. Since
requests who area waiting for external I/O can't monitor
Run it in a thread with CFthread and put a timeout on the cfjoin.
Adam
On Thu, Oct 8, 2009 at 8:47 AM, Vamsi Pappu vissu.va...@gmail.com wrote:
Hi All,
I have a situation here where cfquery doesn't seem to be performing well on
jdbc driver, when I read in forums it was clearly mentioned
Or figure out why its running slowly, and make it run faster. =)
Rick
On Thu, Oct 8, 2009 at 12:01 PM, Adam Haskell a.hask...@gmail.com wrote:
Run it in a thread with CFthread and put a timeout on the cfjoin.
Adam
On Thu, Oct 8, 2009 at 8:47 AM, Vamsi Pappu vissu.va...@gmail.com wrote:
I think you want it this way, using a CASE statement for the leadmgr
column. I also moved all your subselects into left joins, which should
give a bit better performance.
cfquery datasource=askseaton name=getOffices result=varibles
select
s.address + ' ' + s.address2 + ' ' + s.address3 +
cfquery datasource=askseaton name=getOffices
select
iif(lm.user_id = s.lead_mgr, (lm.first + ' ' +
lm.last) , s.lead_note) as leadMgr,
Anyone? Bueller? I really need an answer to this -- even though I'm running
Fusion Reactor and can keep a survival strategy, this is no way to keep a
server running. Is there anyone out there who's successfully used the TIMEOUT
parameter in CFQUERY with CFMX 7.0.2 and SQL 2005 Standard?
On Tue, Apr 14, 2009 at 5:25 PM, Sung Woo s...@cornell.edu wrote:
Hi Casey,
What happened today is that the SQL server basically locked up. CF kept
waiting for the request to come back, but it never did because it just hung
infinitely. It seems as if CF waits forever in a case like this,
[mailto:s...@cornell.edu]
Sent: Wednesday, April 15, 2009 7:58 AM
To: cf-talk
Subject: Re: CFQUERY Timeout for SQL2005 Fails
Anyone? Bueller? I really need an answer to this -- even though I'm
running Fusion Reactor and can keep a survival strategy, this is no way to
keep a server running
This is an interesting thread, I've seen what I believe to be very similar
behaviour here on one of my webservices, seemed that one particular query
sometimes just hangs indefinitly, however other threads and requests are all
just fine.
I tried playing around with application request
Mark and Casey,
Thanks for clarifying this for me. I don't own the SQL Server that I need to
hit, so it looks like I'm between a rock and a hard place.
I still don't think the TIMEOUT parameter is working, though. In my example,
I'm hitting a database that is fully operational, and I have a
Also -- this may just be me being dense, but I don't get why the TIMEOUT
feature in CFQUERY has to work this way. It's CF that's making the initial
request to the datasource, so it should start counting down from the moment it
creates that request. And then after waiting for a predetermined
Hi Mark,
To answer your question -- there's a DDL transaction that's running on the
server, and from what the folks have told me, an ALTER TABLE command was
causing the lock to occur. And the downside is that giving hints (i.e., WITH
(NOLOCK)) is not going to have an effect in this
-talk
Subject: Re: CFQUERY Timeout for SQL2005 Fails
Hi Mark,
To answer your question -- there's a DDL transaction that's running on the
server, and from what the folks have told me, an ALTER TABLE command was
causing the lock to occur. And the downside is that giving hints (i.e.,
WITH (NOLOCK
The docs say, no, it may not timeout at 1 second. Check out the
livedocs... Because the timeout attribute only affects the maximum
time for each suboperation of a query, the cumulative time may exceed
its value.
And, even then, the query stuff is considered to be 3rd party (or at
least, so
Check this out. This one, as I've said before, outputs a number around 3000.
cfquery name=test datasource=dsn timeout=1
select top 2 *
from table/cfquery
cfoutput#cfquery.ExecutionTime#/cfoutput
However, this one results in an error: Error Executing Database Query.
Actually, I was wrong -- even cfsetting requesttimeout=1
enablecfoutputonly=No doesn't work, because it still waits for the cfquery
to finish before it outputs the timeout error. Is there any solution for this?
The database we're relying on is unstable and we need to be able to kill the
how about adding WITH (NOLOCK)
If your queries are just selecting data, i'd use WITH (NOLOCK)
that way you don't need to wait for transactions to finish if that table
gets heavy inserts
cfquery name=test datasource=dsn timeout=1
select top 2 * WITH (NOLOCK)
from table
Hi Casey,
What happened today is that the SQL server basically locked up. CF kept
waiting for the request to come back, but it never did because it just hung
infinititely. It seems as if CF waits forever in a case like this, so it's
vital that I can kill the connection from the CFQUERY.
and have already picked up a nugget.
A tasty one at that. Thanx for sharing.
Should I return an array of structures
I would say yes. From what I have been reading, arrays of structures is the
standard way to exchange data between platforms (Think web services). If you
do it that way (arrays of
Q: What's the best way to return two structures from a function?
Should I return an array of structures or can I return the resultInfo in one
of the arguments
from the calling program?
Well, strictly speaking, if you set the value of something within the
calling program that's not returning
This is the syntax for doing it with an array of structures:
cfset var result = ArrayNew(1)
cfquery name=qry datasource=myDatasource result=info
SELECT * FROM Tablename
/cfquery
cfset result[1] = qry
cfset result[2] = info
cfreturn result
What would be the syntax for using a structure of
I am reviewing CF and working on a small site to get my skills back up to
par.
Here is what I have:
CFSET theSQL = SELECT queryName, title, content FROM content WHERE
queryName = '#URL.queryName#'
cfquery name=getContent datasource=indie#theSQL#/cfquery
CFOUTPUT#theSQL#/CFOUTPUT
Hi Dave,
Thanks for the reply.
Second, and more importantly, using raw data from the browser like
that is a serious security vulnerability. Whenever you use unsafe data
within a query, you should build a prepared statement using the
CFQUERYPARAM tag:
Thanks for the link. I see that you authored this article. Very well
laid out. I understand SQL Injection and qhy to use CFQUERYPARAM.
What I did not see in the article was how to take a CFSET statement
that builds a SQL String and put CFQUERYPARAMS into it and make it
work.
Like:
cfset
On Wednesday 07 Jan 2009, Andrew Tegenkamp wrote:
can I fix it?
You can, but shouldn't. Constructing raw SQL strings is dangerous, security
wise.
I expect your real use case is more complex, but rewriting it to :
cfquery name=insert datasource=#DSN#
INSERT INTO users(userName)
Andrew Tegenkamp wrote:
Why is this
Because CF automatically escapes all single quotes in variables used
inside of a CFQUERY... block.
and can I fix it?
Use the perserveSingleQuotes() function whose purpose is to over ride
this default behavior.
Just be aware that if you are not careful,
Actually, I'm gonna pick on you again Dave and challenge
this. (I'm hoping to add to my wall)
If a someone is using MySQL ...
Well, the original poster was asking about the current attack, which
specifically targets MS SQL Server.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
1 - 100 of 593 matches
Mail list logo