I did end up re doing the entire query in a cfquery tag instead of the
connection string. I also used the queryparam tags like below. Seems to have
resolved the error and hopefully prevents SQL injection too.
Thanks
On Wed, Jan 27, 2010 at 5:30 PM, Teddy R. Payne wrote:
> Dusty,
> How about some
Yea that's a good point Dean. Will tags solve that? Also if
using a connection string approach as opposed to a cfquery tag, what's the
best way to deal with SQLInjection?
I know what SQLinjection is and I'm sure I should probably be more concerned
with it that I have been in the past. Thanks for
sql error that only happens when
using CF
D'oh! Anyone else see the classic SQLinjection vuln here...
--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children." -- John James
Audubon
On Wed, Jan 27
D'oh! Anyone else see the classic SQLinjection vuln here...
--
Dean H. Saxe
"A true conservationist is a person who knows that the world is not
given by his fathers, but borrowed from his children." -- John James
Audubon
On Wed, Jan 27, 2010 at 11:47 AM, Dusty Hale wrote:
> Teddy here's how I
De nada, amigo.
Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com
On Wed, Jan 27, 2010 at 5:49 PM, Dusty Hale wrote:
> I may have to do that because now I have another issue LOL. While using the
> connection string approach, it works great on our production server. However
> I can't f
I may have to do that because now I have another issue LOL. While using the
connection string approach, it works great on our production server. However
I can't for the life of me get connections strings like this to work on my
development server (Mac Book with VMWare Win XP CF 8) so I'm likely goi
Dusty,
How about something like this?
select
[donorid] ,
[occupation] ,
[race] ,
[haircolor] ,
[hairtexture] ,
[eyecolor] ,
[religion] ,
[bloodtype] ,
[height] ,
[weight] ,
[heightmetric] ,
[weigh
I also stopped using the tag and now it works:
classLoader = createObject("java", "java.lang.Class");
classLoader.forName("sun.jdbc.odbc.JdbcOdbcDriver");
dm = createObject("java","java.sql.DriverManager");
con = dm.getConnection("jdbc:odbc:DRIVER={SQL Server};Da
So just to let you all know. I did find a solution.
I basically rolled my code back to the way it was yesterday because it
always worked before. Then I made the same little update I made today AGAIN
(just adding a reference to one other column in the query). Now it works.
I still don't for the li
Just to rule it out though I tried it. Didn't help though.
On Wed, Jan 27, 2010 at 3:36 PM, Forrest C. Gilmore wrote:
> Go into CF Help and look up the Preservesinglequotes function.
>
> Forrest C. Gilmore
>
> Dusty Hale wrote:
>
>> Yep that runs fine.
>>
>> This is real
Very familiar with that function but in this case. That's not it. If I
remember correctly that function is to preserve single quotes that might be
in the string like:
'It's a problem'
in this case the string never has a quote:
select * from mydonors where donorid like '%ABC123%'
On Wed, Jan 2
Go into CF Help and look up the Preservesinglequotes function.
Forrest C. Gilmore
Dusty Hale wrote:
Yep that runs fine.
This is really strange. The value of the qText variable is the same as
the query below yet when I stuff #qText# in there, it somehow doubles
the quo
Yep that runs fine.
This is really strange. The value of the qText variable is the same as the
query below yet when I stuff #qText# in there, it somehow doubles the quotes
by itself. Damn I just don't get how it could or would do that.
If I output the value of the qText variable on a page, quotes
I agree with you because in the last part of the CF error message notice the
SQL state the quotes are doubled up. However, when I output the string there
not doubled up. I'm testing it out now.
Never seen anything like this in all my years LOL ...
The web site you are accessing has experienced
Dusty,
As a source of troubleshooting, have you put the SQL string into the cfquery
statement in its final form? I am wondering if the SQL runs correctly in
the cfquery before the dynamic evaluation.
**Select donorid, occupation, race, haircolor, hairtexture, eyecolor,
religion, bloodtype, heigh
Teddy here's how I build the qText string part where the quotes are:
if(len(txtDonorId)){
qText = qText & "AND donorid like '%" & txtDonorId & "%' ";
}
On Wed, Jan 27, 2010 at 2:28 PM, Teddy R. Payne wrote:
> Dusty,
> What type of single quotes are those? What is the source of
PM
Please respond to
discussion@acfug.org
To
discussion@acfug.org
cc
Subject
Re: [ACFUG Discuss] a very strange sql error that only happens when using
CF
Craig do you have a link to that thread?
Many thanks,
Dusty
On Wed, Jan 27, 2010 at 2:38 PM, wrote:
Looking out on the internet, I
Dusty Hale
> Sent by: ad...@acfug.org
> 01/27/10 02:25 PM
> Please respond to
> discussion@acfug.org
>
>
> To
> discussion@acfug.org
> cc
>
> Subject
> [ACFUG Discuss] a very strange sql error that only happens when using CF
>
>
>
>
>
>
> H
No I just basically output the query before it gets to the cfquery tag. That
outputs it on the page instead of running the query in CF. Then I copied the
query into SQL Studio and it runs fine. However when I run the same query in
a cfquery tag I get the message. No division is being used.
The sin
deral Reserve Bank of Atlanta
1000 Peachtree St. N.E.
Atlanta, Ga 30309-4470
(404)498-8437
craig.nas...@atl.frb.org
Dusty Hale
Sent by: ad...@acfug.org
01/27/10 02:25 PM
Please respond to
discussion@acfug.org
To
discussion@acfug.org
cc
Subject
[ACFUG Discuss] a very strange sql error that
Dusty,
What type of single quotes are those? What is the source of the text? Was
the query copied and pasted from a Microsoft document?
Teddy R. Payne, ACCFD
Google Talk - teddyrpa...@gmail.com
On Wed, Jan 27, 2010 at 2:24 PM, Dusty Hale wrote:
> Hi:
>
> I've run into a very strange issue.
Hi:
I've run into a very strange issue. I have a cfc which has a tag
in it. I recently added one field the SQL in the query and am getting an
error I've never seen before. I can't seem to dig out any info to solve
this. If anyone is familiar, please share.
Of course when I output the SQL and run
22 matches
Mail list logo