Cfqueryparam with PreserveSingleQuotes

Similar Messages

• CreateODBCDate and cfqueryparam with cf_sql_date

  Hi all.
  I've got a form that's accepting the following date formats
  (YYYY-MM-DD and MM-DD-YYYY).
  Just wondering if it's even necessary to use the
  CreateODBDate when I'm passing in the dates in my <cfquery>
  using a queryparam with a type of cf_sql_date?
  From what I understand cf_sql_date will recognize either of
  the two formats and properly create the ODBC date the way it's
  supposed to, but I can't find any resources that says this. Anyone
  know this for sure or not, and maybe have a reference I can point
  my team in the right direction?
  Thanks.

  Unless there is a known difference in how the two parse date
  strings, I would say no. Both parse a string and return a properly
  formatted date/time object. I strongly suspect they both use the
  same parsing method behind the scenes anyway.
  As an aside, MM-DD-YYYY can be interpreted multiple ways. But
  most likely both CreateODBCDate and cfqueryparam will interpret the
  value the same way.. for right or wrong ;-)

• SQL Injection with CF7 and MS SQL 2005

  I looked through a bunch of SQL injection posts and couldn't
  find a definitive answer to this...
  Let me introduce this by saying that I know I should be using
  CFQUERYPARAM with EVERY CF variable in a CFQUERY tag. No excuses.
  But for a necessary quick fix, if I only use it for numeric
  DB fields, is SQL injection still possible (using MS SQL 2005)?
  I've yet to successfully perform SQL injection while manipulating a
  variable surrounded by single quotes in the query.
  Scenario 1) select * from users where user_id=#form.user_id#
  ...is a gimme to hack, but
  Scenario 2) select * from users where
  password='#form.password#' ...is another story
  Has anyone ever heard of a successful SQL injection attack in
  a Scenario 2 situation.
  I'll fix everything up eventually, but I've got a Pen Test
  coming up soon, and a lot of raw code to review.
  Thanks

  quote:
  Originally posted by:
  Dan Bracuk
  What others can do is more relevent than what we think. When
  in doubt, test.
  very true, although my final solution went more like, "When
  in doubt, manually add about 600 cfqueryparams in 406 cfquery
  tags".

• Cfqueryparam behaving really strange

  Hi!
  I have the following scenario.
  CFMX 7.0
  MS SQL 2005
  Col1 and Col3 are nvarchar and Col 2 is an int
  Working sql: (returns all rows matching clause)
  SELECT * FROM table WHERE col1 = <cfqueryparam
  cfsqltype="cf_sql_varchar" value="#var1#"> AND col2 =
  <cfqueryparam cfsqltype="cf_sql_integer" value="#var2#"> AND
  col3 = <cfqueryparam cfsqltype="cf_sql_varchar"
  value="staticvalue">
  Also working sql (returns all rows matching clause)
  SELECT * FROM table WHERE 1=1 AND col1 = <cfqueryparam
  cfsqltype="cf_sql_varchar" value="#var1#"> AND col2 =
  <cfqueryparam cfsqltype="cf_sql_integer" value="#var2#"> AND
  col3 = 'staticvalue'
  Not working sql (returns only one row)
  SELECT * FROM table WHERE col1 = <cfqueryparam
  cfsqltype="cf_sql_varchar" value="#var1#"> AND col2 =
  <cfqueryparam cfsqltype="cf_sql_integer" value="#var2#"> AND
  col3 = 'staticvalue'
  As you can see, using cfqueryparam with the static value
  makes query #1 work and adding 1=1 in the where clause makes query
  #2 work. But I find it very, very strange that query #3 shouldn't
  work - and whats even more strange is that it somehow at least
  returns one row...
  Has anyone experienced any of this behaviour?
  Regards,
  Johan

  how many rows does this return:
  SELECT *
  FROM table
  WHERE
  col1 = <cfqueryparam cfsqltype="cf_sql_varchar"
  value="#var1#">
  AND col2 = <cfqueryparam cfsqltype="cf_sql_integer"
  value="#var2#">
  AND col3 = <cfqueryparam cfsqltype="cf_sql_varchar"
  value="staticvalue">
  Azadi Saryev
  Sabai-dee.com
  http://www.sabai-dee.com/

• Problem with select query that includes a date

  I've been fighting with this for about 4 hours - yes, quite literally... I've never been good with date stuff. I have a brain block.
  Anyway, here's the situation:
  I have an Access database that has a time/date field. There are no times, just a date in mm/dd/yyyy format.
  That table is a list of classes held for the past three years. I want to make a query that only shows the classes that have ended after January 1 of this year. I don't want to put 01/01/2010 in the query itself because I want it to still work next year.
  This is the current query:
  <cfquery name="classes" datasource="#DSN#" dbtype="ODBC">
  SELECT classesTitles.ClassTitle, classesTitles.ClassDesc, classCatagories.catagoryName, classes.classStart, classes.classEnd, classes.classNotes, owners.fName, owners.lName, classTime.timeSlot, classes.classID, classes.classLimit
  FROM classCatagories INNER JOIN (((classes INNER JOIN classesTitles ON classes.classTitle = classesTitles.classTitleID) INNER JOIN classTime ON classes.classTime = classTime.timeID) INNER JOIN owners ON classes.classInstructor = owners.ownerID) ON classCatagories.catagoryID = classesTitles.ClassType
  WHERE  classes.classEnd <  01/01/#DatePart("yyyy", now())#
  ORDER BY classes.classStart, classCatagories.catagoryName, classTime.timeSlot, classesTitles.ClassTitle
  </cfquery>
  I don't get any results, but I should get a list of every class that has an end date before January 1 of this year - about 200 records.
  When I swap around the where clause to:
  <cfquery name="classes" datasource="#DSN#" dbtype="ODBC">
  SELECT classesTitles.ClassTitle, classesTitles.ClassDesc, classCatagories.catagoryName, classes.classStart, classes.classEnd, classes.classNotes, owners.fName, owners.lName, classTime.timeSlot, classes.classID, classes.classLimit
  FROM classCatagories INNER JOIN (((classes INNER JOIN classesTitles ON classes.classTitle = classesTitles.classTitleID) INNER JOIN classTime ON classes.classTime = classTime.timeID) INNER JOIN owners ON classes.classInstructor = owners.ownerID) ON classCatagories.catagoryID = classesTitles.ClassType
  WHERE  classes.classEnd > 01/01/#DatePart("yyyy", now())#
  ORDER BY classes.classStart, classCatagories.catagoryName, classTime.timeSlot, classesTitles.ClassTitle
  </cfquery>
  I get EVERY class in the database, and I should only be getting about 50
  The classes are about 8 weeks long, the begin date and end date are in the database as date/time fields, so I need to show everything that ended in 2010, regardless of when it started.
  I'm sure it's something glaringly obvious, but it's escaping me.
  THANKS
  Michelle

  The format of your date field in access is irrelevent to the situation at hand.  Use proper date objects instead of trying to build a suitable string.  For the first of January of the current year, the coldfusion functions createdate(), year(), and now() are your freinds.  Then, in case Adam's post was not clear, use cfqueryparam with the resulting variable.

• CFQUERYPARAM - Can it work without throwing an error?

  I am using CFQUERYPARAM with great success in application; my
  problem is all application errors are emailed to a queue that is
  closely watched by a supervisor. So unless I put a try/catch around
  every single query, I get an email whenever a hack attempt or badly
  formed variable is passed in an URL string to any page on the site.
  We are using the cferror tag (<cferror type="EXCEPTION"...) to
  catch errors thrown by ColdFusion. Any suggestions how I can make
  CFQUERYPARAM mismatches either not thrown or ignored by
  CFERROR?

  quote:
  Originally posted by:
  sunshinerc
  I am using CFQUERYPARAM with great success in application; my
  problem is all application errors are emailed to a queue that is
  closely watched by a supervisor. So unless I put a try/catch around
  every single query, I get an email whenever a hack attempt or badly
  formed variable is passed in an URL string to any page on the site.
  We are using the cferror tag (<cferror type="EXCEPTION"...) to
  catch errors thrown by ColdFusion. Any suggestions how I can make
  CFQUERYPARAM mismatches either not thrown or ignored by CFERROR?
  Validate all user inputs before they get to your cfquery tag.

• PreserveSingleQuotes fails

  Hi,
  We are finally moving our comparatively large CF5 extranet to
  CF7, and I am running into an issue where SQL code that worked fine
  in CF5, and which used preserveSingleQuotes(), is now not being
  not-escaped properly in CF7 and failing. I've had to resort to
  something like
  replace(preserveSingleQuotes(SQL),"''","'")
  which is exactly what preserveSingleQuotes is meant to avoid.
  Has anyone else seen this behavior in CF Enterprise 7.0.2?
  More details: it's been seen on both Win Server 2k3 and XP
  Pro, accessing Oracle 9i, and in at least some cases (although not
  all) the SQL is stored in a session variable.

  Coming late,
  but, I have a lot of trouble to with "preservesinglequotes",
  which I did not have before V7, it seems to ?
  Example :
  <cfset sql = "select * from get_mou_f1 where mou_ocean = '#form.ocean_mer#'">
  <cfquery name="get_mou_f1"  dbtype="query">
      #preservesinglequotes(sql)#
  </cfquery>
  Where form.ocean_mer contains a single quote.
  Can you confirme this has to see with the CF version ?
  Is there an update to implement to CF V7.
  Thanks for your answer and cooperation.
  Pierre.

• Query output based on date - Oracle 8i

  I am trying to write a very simple query to output data based
  on date ranges, but I keep encountering an error.
  When I do this statement:
  select * from my.table
  where startdate > '2008-01-01'
  I get this error:
  [ODBC][Ora]ORA-01861: literal does not match format string
  When I format the select statement this way:
  select * from my.table
  where startdate > #2008-01-01#
  i get this error:
  [ODBC][Ora]ORA-00932: inconsistent datatypes: expected DATE
  got NUMBER
  Currently using CF8, and what I believe is Oracle 8i. I have
  tried formatting this data in many other ways, but can't get it to
  work. I know that when I query the database via access, it has no
  problem returning results with the SQL date formatted like
  #01/01/2008#

  You can use the Oracle to_date() function to convert your
  string to a date/time object:
  select * from my.table
  where startdate > to_date('2008-01-01', 'YYYY-MM-DD')
  Or, since you are using an ODBC connection to Oracle, you can
  try using the ColdFusion CreateODBCDate() function:
  select * from my.table
  where startdate > #CreateODBCDate("2008-01-01")#
  Or, as already suggested, use cfqueryparam with the
  appropriate CFSQLType, such as
  CF_SQL_TIMESTAMP instead of CF_SQL_INTEGER like you are
  attempting to do.
  You can't use a "string" date value against a date/time
  column in an Oracle query, as it won't perform an implicit type
  conversion.
  Phil

• Set Rowcount and Documentum

  I hope someone can help me. I have a pretty tough question.
  I am working on a Documentum system (document management) with an Oracle backend. I need to limit the collection results I get with the queries. But there's a catch.
  All SELECT statments must be performed in DQL (Documentum's proprietary QL). DQL does not support any method of limiting the results set in the query. Documentum does have an older API that allows SQL commands, but no SELECT statements are allowed with it. If we were running SQL Server or Sybase, I would perform the following:
  1. Create the Documentum session
  2. "execsql,c,set rowcount 10"
  3. Perform my query in DQL (All resultsets for this session are limited to 10 rows, until it's reset with another "set rowcount" command.)
  My question:
  Is there any equivalent way to limit the results in Oracle without using a SELECT statement? If this can't be done with code, is there any configuration setting in Oracle that can control the number of records returned?
  Thanks.

  <cfquery name = "getOcid" datasource="myDB">
        set rowcount 1
        select distinct
        myID,
        description
        from myTable
        where 1=1
        <cfif url.source eq "main">
              and myID = <cfqueryparam value='#form.OCID#' cfsqltype="cf_sql_varchar">
        </cfif>
        <cfif url.source eq "xls">
              and myID = <cfqueryparam value='#url.OCID#' cfsqltype="cf_sql_varchar">
        </cfif>
        -- set rowcount 0
  </cfquery>
  <!---
  Note: I commented out the final "set rowcount 0" - if this code is working properly, then any subsequent report
  page you view during the same user/session should return only one row, until you run into another
  "set rowcount 0"  statement;
  The code above recognized the set rowcount 1 statement only after I replaced the cfqueryparams with
  a simple variable (e.g.: and myID = '#form.OCID#');
  --->

• Recordset where date is 90 days or older.

  Hello,
  I am trying to build a recordset from a MSSQL database of records where c.date is 91 days or older.  It's been 3 years since I touched Coldfusion so my code below is a little rusty....
  <cfset todayDate = Now()>
  <!--- Populate Open Quotes --->
  <cfquery name="Quotes" datasource="quote">
  SELECT q.qid, q.cdate, q.name, q.region, q.cuid, q.quid, q.status, c.company,
  c.sitecity
  FROM quote q, customer c
  WHERE q.status = 'open' AND q.cuid = c.uniqueid AND q.cdate < (<cfoutput>#todaydate#</cfoutput>-90)
  ORDER BY cdate
  </cfquery>
  Any help on this would be greatly appreciated.....
  Thanks In Advance.
  Gary

  There are a few ways to do it. My preference is to use the DateAdd() function to calculate the date 90 days ago:  #DateAdd("d", -90, now())#
  Of course that will also include the time as well:  2009-12-21 17:21:00.  You can truncate the time (ie convert it to a date only) by using either the CreateODBCDate() function:
  WHERE q.cdate < #CreateODBCDate(DateAdd("d", -90, now()))# 
  ... OR by using cfqueryparam with the data type "cf_sql_date"
  WHERE q.cdate <    <cfqueryparam value="#DateAdd("d", -90, now())#" cfsqltype="cf_sql_date">
  Generally cfqueryparam is the better option for databases like MS SQL because a) it uses bind variables to help improve performance b) helps protect against sql injection. It also has some other nice features like the "list" and "null" attributes.
  http://www.adobe.com/devnet/coldfusion/articles/sql_injection.html
  (<cfoutput>#todaydate#</cfoutput>-90)
  BTW: You do not need to use <cfoutput> tags inside a cfquery. There may be exceptions, but generally any #variable# used inside a CF tag will be evaluated automatically (without cfoutput tags).

• Oracle 10g - issue with "DELETE from TABLE WHERE ID in (1,2,3)" (cfqueryparam used)

  Hello, everyone.
  I am having issues with running a DELETE statement on an Oracle 10g database.
  DELETE
  FROM tableA
  WHERE ID in (1,2,3)
  If there is only one ID for the IN clause, it works.  But if more than one ID is supplied, I get an "SQL command not properly ended" error message.  Here is the query as CF:
  DELETE
  FROM TRAINING
  WHERE userID = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#trim(form.userID)#">
       AND TRAINING_ID in <cfqueryparam value="#form.trainingIDs#" cfsqltype="CF_SQL_INTEGER" list="yes">
  Anyone work with Oracle that can help me with this?  I'm an experienced MS-SQL developer; Oracle is new to me.
  Thanks,
  ^_^

  Nevermind.. a co-worker just told me that I still have to use parenthesis around the values for the IN clause. 

• Struggling with array notation when converting to cfqueryparam

  I'm checking through some old code, tidying it up a little and making sure everything is using cfqueryparam - I've got the following bit of code and not sure what to do with it - I know cf_sql_array is available but I can't find any examples of information on it (or if that's exactly what I should be looking at):
  <cffunction name="myfunction" access="public" returntype="void" output="false">
             <cfloop index="i" list="#visualList#">
                 <cfif form["visual" & i] neq "NA">
                <cfquery name="assetVisualCheck" datasource="#APPLICATION.Config.dbdsnd#" username="#APPLICATION.Config.dbuname#" password="#APPLICATION.Config.dbpass#">
                      INSERT INTO assetVisual
                      (visualAssetID, visualBy, visualDate, visualResult)
                      Values ('#i#', '#cgi.REMOTE_USER#', now(), '#form["visual" & i]#')
                  </cfquery>
                  </cfif>
  </cfloop>
  </cffunction>
  list="#visualList#" should be a straightforward swap, #i# and #cgi.remote_user# don't need binding
  '#form["visual" & i]#' is the bit I want to make sure is right. #form.visual1# is a "P", "F" or "X"
  Am I overthinking this and it should just be
  <cfqueryparam cfsqltype="cf_sql_char" maxlength="1"
  value="#ARGUMENTS["visual" & i]#"

  Arguments will be passed from elsewhere and will replace the values sent from the current FORM.
  I want to make sure I'm on the right track before I start disassembling the code to move it to arguments

• "Invalid Column" on multiple where clauses with subqueries and cfqueryparam

  I'm seeing a behavior in the coldfusion cfquery that I'd like to find an exmplanation for .  I've got a query that does a subquery in the select portion and if I have multiple where lines, I get an "invalid column name" message for my second where clause, but only when I'm using cfqueryparam
  For example on the following I get "Invalid column name 'position_id'"
  SELECT   department_staff_tbl.*,
           (   SELECT   max(bookmark_id)
               FROM     bookmarked_items_tbl
               WHERE    item_id = department_staff_tbl.staff_id
           ) AS bookmark_id
  FROM     department_staff_tbl
  WHERE    department_id = <cfqueryparam value="#arguments.deptid#"  cfsqltype="cf_sql_integer">
  AND     position_id   = <cfqueryparam value="#arguments.posid#"   cfsqltype="cf_sql_integer">
  AND     staff_id      = <cfqueryparam value="#arguments.staffid#" cfsqltype="cf_sql_integer">
  If I change the order of my where clause so staff_id is first, then it tells me "department_id" is an invalid column.
  If I only have one where clause, it works.  (i.e. WHERE position_id = <cfqueryparam value="#arguments.posid#" cfsqltype="cf_sql_integer">).
  If I remove the where clause from my subquery (WHERE     item_id = department_staff_tbl.staff_id) it works.
  It also works if I remove the cfqueryparam from my where clause so that my query looks like this:
  SELECT   department_staff_tbl.*,
           (   SELECT   max(bookmark_id)
               FROM     bookmarked_items_tbl
               WHERE    item_id = department_staff_tbl.staff_id
           ) AS bookmark_id
  FROM     department_staff_tbl
  WHERE    department_id = #arguments.deptid#
  AND     position_id   = #arguments.posid#
  AND     staff_id      = #arguments.staffid#
  Any thoughts?

  I see two tables. So can the server. So, use qualified column-names.
  SELECT   department_staff_tbl.*,
           (   SELECT   max(bookmarked_items_tbl.bookmark_id)
               FROM     bookmarked_items_tbl
               WHERE    bookmarked_items_tbl.item_id = department_staff_tbl.staff_id
           ) AS bookmark_id
  FROM     department_staff_tbl
  WHERE    department_staff_tbl.department_id = <cfqueryparam value="#arguments.deptid#"  cfsqltype="cf_sql_integer">
  AND      department_staff_tbl.position_id   = <cfqueryparam value="#arguments.posid#"   cfsqltype="cf_sql_integer">
  AND      department_staff_tbl.staff_id      = <cfqueryparam value="#arguments.staffid#" cfsqltype="cf_sql_integer">

• Cfqueryparam numeric help - is this the best way

  I have an update in one of my programs and I'm using the
  cfqueryparam. It works fine if the value is not entered since the
  type is cf_sql_varchar. If the value is cf_sql_integer/cf_sql_float
  and the field is required, it again works fine. Now if the field is
  cf_sql_integer and not required, it will throw an error if no value
  is passed to it. I tried using the NULL parameter, but that will
  put NULL in the field every time. I finally ended up using a cfif
  statement to check. Is this the best way? Am I missing something?
  How do others handle this?

  Your's is as good a way as any. But since you asked, my
  approach is usually like this:
  Step 1, build a string variable called sql. Perform all your
  if/else and other logic at this step.
  Step 2
  <cfquery>
  #PreserveSingleQuotes(sql)#
  </cfquery>
  My method makes it almost impossible to use cfqueryparam
  because of all the quotes. However, I find it easier to develop,
  read, and maintain code when you have as much if/else, loop, etc
  processing in the same block of code.
  You might be able to do both. Something like
  Step 1 - use if/else logic to set a variable (call it null)
  to either yes or no.
  Step 2
  cfqueryparam null="#null#">
  I've never actually tried. Most of my work is with a db that
  does not support cfqueryparam so using it is not a high priority
  item for me.

• ColdFusion Script not work with Httpservice

  At first I use PHP to generate xml output on page then use
  the data to my httpservice with resultformat e4x. Everything is
  fine. But now I want to use coldfusion script since I'm planning to
  use ColdFusion as my web server. I have this script located on my
  server and generate the data in XML file then the XML file is used
  in my web, loaded through httpservice.
  My PHP code was like this :
  <?php
  define( "DATABASE_SERVER", "localhost" );
  define( "DATABASE_USERNAME", "root" );
  define( "DATABASE_PASSWORD", "" );
  define( "DATABASE_NAME", "MyCinema" );
  $mysql = mysql_connect(DATABASE_SERVER, DATABASE_USERNAME,
  DATABASE_PASSWORD) or die(mysql_error());
  mysql_select_db( DATABASE_NAME );
  $Query = "SELECT * FROM film";
  $Result = mysql_query( $Query );
  $Return = "<movies>";
  while ( $film = mysql_fetch_object( $Result ) )
  $Return .= "<film><judul>".$film->JUDUL.
  "</judul><deskripsi>".$film->DESKRIPSI.
  "</deskripsi><genre>".$film->GENRE.
  "</genre><produser>".$film->PRODUSER.
  "</produser><produksi>".$film->PRODUKSI.
  "</produksi><homepage>".$film->HOMEPAGE.
  "</homepage><durasi>".$film->DURASI.
  "</durasi><url>".$film->URL."</url></film>";
  $Return .= "</movies>";
  mysql_free_result( $Result );
  print ($Return);
  ?>
  And now I try to get the same result using coldfusion script.
  At first I dont write the XML to file, I just cfoutput it just like
  I do with PHP just print result but it doesnt work out with my
  HTTPservice. Until I try to write it to XML file then coding my
  httpservice to read directly from that XML file. here is my
  coldfusion code.
  <cfcomponent>
  <cffunction name="a" returnType="Void" output="true"
  access="remote">
  <cfprocessingdirective suppresswhitespace="Yes">
  <cfquery name="GetFilm" datasource="myCinemaData">
  SELECT b.* FROM playing a, film b
  WHERE a.kode_film=b.kode_film AND a.start >
  <cfqueryPARAM value = "#DateFormat(Now())#"
  CFSQLType = "CF_SQL_STRING">
  </cfquery>
  <cfxml variable="userXML">
  <movies>
  <cfloop query="GetFilm">
  <cfoutput>
  <film>
  <judul>#GetFilm.JUDUL#</judul>
  <deskripsi>#GetFilm.DESKRIPSI#</deskripsi>
  <genre>#GetFilm.GENRE#</genre>
  <produser>#GetFilm.PRODUSER#</produser>
  <produksi>#GetFilm.PRODUKSI#</produksi>
  <homepage>#GetFilm.HOMEPAGE#</homepage>
  <durasi>#GetFilm.DURASI#</durasi>
  <url>#GetFilm.URL#</url>
  </film>
  </cfoutput>
  </cfloop>
  </movies>
  </cfxml>
  </cfprocessingdirective>
  <cffile action="write"
  file="#expandPath(".")#\userXML.xml" output="#userXML#">
  </cffunction>
  </cfcomponent>
  Because I need to create the XML files first I try to execute
  this coldfusion script first using webservice before I execute my
  Httpservice but the XML file creation is slower than the execution
  of my httpservice afterthat so it shows an error that my XML file
  isn't not available. What can i do? I've tried to show the output
  using cfoutput and run that script directly on my httpservice just
  like the way I use print result on PHP but it produce an
  error.

  ... I try to execute this coldfusion script first using
  webservice before I execute my Httpservice but the
  XML file creation is slower than the execution of
  my httpservice afterthat so it shows an error
  that my XML file isn't not available.
  Then it might help to apply a named lock to ensure that the
  Httpservice runs only after the web service call is complete. For
  example, apply an exclusive named lock on the code that calls the
  web service and a readonly lock of the same name to the Coldfusion
  code that interacts with the Httpservice.