I am trying to figure out how I can test if the function of a component has returned a component or Boolean false.
For example a component's find method like
<cfset hotel = oHotel.findById(1200) />
<cfif hotel >
...
</cfif>
If a hotel is found then a component is returned, otherwise false.
Is it generally OK to write such code, or should I write to the cfif another way?
Use IsValid() function as follows
<cfset hotel = oHotel.findById(1200) />
<cfif IsValid("component",hotel)> //Hotel found
<!--- Code to perform if it is Component --->
<cfelse>
<!--- Code to perform if it is not a Component --->
</cfif>
Try this:
<cfif isBoolean( hotel )>
....
</cfif>
However, I would suggest making findById() return NULL if there is no hotel with the matching ID. Then you would use
<cfif !isNull( hotel )>
....
</cfif>
Alternatively, IsSimpleValue() can be used to determine if the variable is...a simple value. That is, not an array, struct, query, or component.
Returns
True, if value is a string, number, Boolean, or date/time value; False, otherwise.
<cfset hotel = oHotel.findById(1200) />
<cfif IsSimpleValue(hotel)>
<!--- it is a simple value, i.e., NOT a component --->
</cfif>
Related
Recently, a security risk company we hired identified a SQL injection risk for a specific parameter of a function in our Coldfusion application. The argument is correctly captured as a cfargument:
<cfargument name="status" required="false" type="string">
and also correctly paramed as a cfprocparam:
<cfif isDefined('ARGUMENTS.status') AND ARGUMENTS.status NEQ "">
<cfprocparam type="in" value="#ARGUMENTS.status#" dbvarname="#search_status" cfsqltype="cf_sql_varchar">
<cfelse>
<cfprocparam type="in" null="yes" dbvarname="#search_status" cfsqltype="cf_sql_varchar">
</cfif>
And then it's used in the stored proc this way, building a where clause for a SQL query:
if (len(#search_status) > 0)
begin
set #strWhere = #strWhere + ' AND e1.cps_txt LIKE '+ '''%'+#search_status+'%'''
end
Of course, paraming to make sure the value is a varchar can't prevent a string of malicious code being entered and passed. This seems like it could easily be a larger problem, too, since it's far from the only place in our application where string arguments are passed to cfc functions and then used in SQL queries.
I'm wondering if the best approach to remedy the security risk in this one case is to compare the argument's value to all of the possible expected values (there's about twenty of them, stored in a table), and if it doesn't match one of them, then to throw an error, or just pass to the stored proc as null.
Had to tackle this at a previous employer. The trick is to pass true or false to the null argument and to avoid writing all this conditional code that calls different versions of the procparam with or without the attribute. Just always have the attribute and put the conditional logic in the value.
<cfprocparam type="in"
dbvarname="#search_status"
cfsqltype="cf_sql_varchar"
value="#ARGUMENTS.status#"
null="#!(structKeyExists(arguments, "status") AND (len(arguments.status) NEQ 0))#">
Depending on the complexity of the condition, you can simply pass it as a variable.
<cfset statusNull = true>
<cfif structKeyExists(arguments, "status") AND (len(arguments.status) NEQ 0)>
<cfset statusNull = false>
</cfif>
<cfprocparam type="in"
dbvarname="#search_status"
cfsqltype="cf_sql_varchar"
value="#ARGUMENTS.status#"
null="#statusNull#">
And I'd like to reiterate the comment from SOS that mentions dynamic SQL. We also eliminated dynamic SQL from thousands of stored procedures and replaced it with the conditional check from his linked message. This is so much easier to read and debug than dealing with acres of string concatenation code.
WHERE ( #OrderId IS NULL OR tblOrder.OrderId = #OrderId )
AND ( #OrderCustomer IS NULL OR tblOrder.OrderCustomer = #OrderCustomer )
I would also avoid adding a query just to look up valid values for status before passing the argument to the this function/proc. That just adds overhead to you system for every call to this process.
I think you pretty much answered your own question. Here's an approach I've used in the past to handle validations using accepted values stored in a small lookup table. Do this before calling your stored procedure. I'll use generic names since I don't know your table and column names.
<!--- Validation code prior to running stored proc --->
<cfif isDefined('ARGUMENTS.status') AND ARGUMENTS.status NEQ "">
<!--- Query acceptable values --->
<cfquery name="qValidateSearchStatus" datasource="myDsn">
select
search_status
from
lookup_table
</cfquery>
<cfif listFind(valueList(qValidateSearchStatus.search_status), ARGUMENTS.status)>
<cfset statusValid = true>
<cfset statusNull = false>
<cfelse>
<cfset statusValid = false>
<cfset statusNull = false>
</cfif>
<cfelse>
<cfset statusValid = true>
<cfset statusNull = true>
</cfif>
<cfif statusValid>
<!--- Call stored procedure --->
<cfstoredproc procedure="myStoredProc" datasource="myDsn">
<cfif statusNull>
<cfprocparam type="in" null="yes" dbvarname="#search_status" cfsqltype="cf_sql_varchar">
<cfelse>
<cfprocparam type="in" value="#ARGUMENTS.status#" dbvarname="#search_status" cfsqltype="cf_sql_varchar">
</cfif>
</cfstoredproc>
<cfelse>
<!--- Process error handling --->
</cfif>
I'm using Ben Nadel's Reading Excel Files With ColdFusion And POI codes at https://www.bennadel.com/blog/472-reading-excel-files-with-coldfusion-and-poi.htm to read my excel file.
With his example codes I can read the excel file when rows in my excel are made uniform. Ben mentioned about this in his comment. But my excel however does not always has uniform rows. Some has birth date, some does not have gender, etc.
Ben Nadel's codes produce error once it hits the empty cell. It says, the
objCell variable does not exist. The following code crashes:
<cfset objCell = objRow.GetCell(JavaCast( "int", intCell )) />
Does anyone has an example and do not mind sharing the codes that can also read empty cells when looping?
I'm pasting Ben's codes here:
<!---
Create the Excel file system object. This object is
responsible for reading in the given Excel file.
--->
<cfset objExcelFileSystem = CreateObject(
"java",
"org.apache.poi.poifs.filesystem.POIFSFileSystem"
).Init(
CreateObject(
"java",
"java.io.FileInputStream"
).Init(
ExpandPath( "./jenna_jameson.xls" )
)
) />
<!---
Get the workbook from the Excel file system object that
we just created. Remember, the workbook contains the
Excel sheets that have our data.
--->
<cfset objWorkBook = CreateObject(
"java",
"org.apache.poi.hssf.usermodel.HSSFWorkbook"
).Init(
objExcelFileSystem
) />
<!---
For this demo, we are only interested in reading in the
data from the first sheet. Remember, since Java is zero-
based, not one-based like ColdFusion, the first Excel
sheet is at index ZERO (not ONE).
--->
<cfset objSheet = objWorkBook.GetSheetAt(
JavaCast( "int", 0 )
) />
<!---
We are going to build a ColdFusion query that houses the
Excel data, but we don't know anything about the data
just yet. So, just create the place holder for the query
and then we will add to it when we have more information.
--->
<cfset qCell = "" />
<!---
Get the Excel sheet's row iterator. This appears to be some
sort of implementation of the Java class java.util.TreeMap,
but I don't know much about that. What I do know, is that
this will allow us to loop over the rows in the Excel file
until there are no more to loop over. The interface for it
looks like the standard iterator interface.
--->
<cfset objRowIterator = objSheet.rowIterator() />
<!---
User the row iterator to loop over all the physical rows in
the Excel sheet. This condition checks to see if we have a
row to read in. At this point, the iterator is NOT pointing
at a valid Excel data row.
--->
<cfloop condition="objRowIterator.HasNext()">
<!---
We have determined that we have a valid row to read.
Now, move the iterator to point to this valid row.
--->
<cfset objRow = objRowIterator.Next() />
<!---
Get the number of physical cells in this row. While I
think that this can possibly change from row to row,
for the purposes of this demo, I am going to assume
that all rows are uniform and that this row is a model
of how the rest of the data will be displayed.
--->
<cfset intCellCount = objRow.GetPhysicalNumberOfCells() />
<!---
Check to see if the query variable we have it actually
a query. If we have not done anything to it yet, then
it should still just be a string value (Yahoo for
dynamic typing!!!). If that is the case, then let's use
this first data row to set up the query object.
--->
<cfif NOT IsQuery( qCell )>
<!---
Create an empty query. Doing it this way creates a
query with neither column nor row values.
--->
<cfset qCell = QueryNew( "" ) />
<!---
Now that we have an empty query, we are going to
loop over the cells COUNT for this data row and for
each cell, we are going to create a query column
of type VARCHAR. I understand that cells are going
to have different data types, but I am chosing to
store everything as a string to make it easier.
--->
<cfloop index="intCell" from="0" to="#(intCellCount - 1)#"
step="1">
<!---
Add the column. Notice that the name of the
column is the text "column" plus the column
index. I am starting my column indexes at ONE
rather than ZERO to get it back into a more
ColdFusion standard notation.
--->
<cfset QueryAddColumn(qCell,"column#(intCell + 1)#",
"CF_SQL_VARCHAR",ArrayNew( 1 )) />
</cfloop>
</cfif>
<!---
ASSERT: Whether we are on our first Excel data row or
our Nth data row, at this point, we have a ColdFusion
query object that has the proper columns defined.
--->
<!---
Add a row to the query so that we can store this row's
data values.
--->
<cfset QueryAddRow( qCell ) />
<!--- Loop over the cells in this row to find values. --->
<cfloop index="intCell" from="0" to="#(intCellCount - 1)#"
step="1">
<!---
When getting the value of a cell, it is important
to know what type of cell value we are dealing
with. If you try to grab the wrong value type,
an error might be thrown. For that reason, we must
check to see what type of cell we are working with.
These are the cell types and they are constants
of the cell object itself:
0 - CELL_TYPE_NUMERIC
1 - CELL_TYPE_STRING
2 - CELL_TYPE_FORMULA
3 - CELL_TYPE_BLANK
4 - CELL_TYPE_BOOLEAN
5 - CELL_TYPE_ERROR
--->
<!--- Get the cell from the row object. --->
----- **When it hit an empty cell CF throws error** ---
<cfset objCell = objRow.GetCell(JavaCast( "int", intCell)) />
<!--- Get the type of data in this cell. --->
<cfset objCellType = objCell.GetCellType() />
<!---
Get teh value of the cell based on the data type.
The thing to worry about here is cell forumlas and
cell dates. Formulas can be strange and dates are
stored as numeric types. For this demo, I am not
going to worry about that at all. I will just grab
dates as floats and formulas I will try to grab as
numeric values.
--->
<cfif (objCellType EQ objCell.CELL_TYPE_NUMERIC)>
<!---
Get numeric cell data. This could be a
standard number, could also be a date value.
I am going to leave it up to the calling
program to decide.
--->
<cfset objCellValue = objCell.GetNumericCellValue() />
<cfelseif (objCellType EQ objCell.CELL_TYPE_STRING)>
<cfset objCellValue = objCell.GetStringCellValue() />
<cfelseif (objCellType EQ objCell.CELL_TYPE_FORMULA)>
<!---
Since most forumlas deal with numbers, I am
going to try to grab the value as a number. If
that throws an error, I will just grab it as a
string value.
--->
<cftry>
<cfset objCellValue = objCell.GetNumericCellValue() />
<cfcatch>
<!---
The numeric grab failed. Try to get the
value as a string. If this fails, just
force the empty string.
--->
<cftry>
<cfset objCellValue = objCell.GetStringCellValue() />
<cfcatch>
<!--- Force empty string. --->
<cfset objCellValue = "" />
</cfcatch>
</cftry>
</cfcatch>
</cftry>
<cfelseif (objCellType EQ objCell.CELL_TYPE_BLANK)>
<cfset objCellValue = "" />
<cfelseif (objCellType EQ objCell.CELL_TYPE_BOOLEAN)>
<cfset objCellValue = objCell.GetBooleanCellValue() />
<cfelse>
<!--- If all else fails, get empty string. --->
<cfset objCellValue = "" />
</cfif>
<!---
ASSERT: At this point, we either got the cell value
out of the Excel data cell or we have thrown an
error or didn't get a matching type and just
have the empty string by default. No matter what,
the object objCellValue is defined and has some
sort of SIMPLE ColdFusion value in it.
--->
<!---
Now that we have a value, store it as a string in
the ColdFusion query object. Remember again that my
query names are ONE based for ColdFusion standards.
That is why I am adding 1 to the cell index.
--->
<cfset qCell[ "column#(intCell + 1)#" ][ qCell.RecordCount ] =
JavaCast( "string", objCellValue ) />
</cfloop>
</cfloop>
<!---
At this point, the excel data should be in a ColdFusion
query object. However, if the query did not contain any
record, then the row iterator was never launched which
mean we never actually defined a query. As one final check
just make sure we are dealing with a query.
--->
<cfif NOT IsQuery( qCell )>
<!--- Just define an empty query. --->
<cfset qCell = QueryNew( "" ) />
</cfif>
Perform below two steps to read empty cells also in ColdFusion-8:
Add a variable outside loops to represent HSSFCell. Example:
<cfset jCell = createObject("java", "org.apache.poi.hssf.usermodel.HSSFCell")>
Use function objRow.GetLastCellNum() instead of objRow.GetPhysicalNumberOfCells(). Example:
<cfset intCellCount = objRow.GetLastCellNum() />
Add a <cfif> condition to set value of variable objCellType based on existence of variable objCell. Example:
<cfset objCell = objRow.GetCell(JavaCast( "int", intCell)) />
<cfif structKeyExists(variables, "objCell")>
<cfset objCellType = objCell.GetCellType() />
<cfelse>
<cfset objCellType = jCell.CELL_TYPE_BLANK />
</cfif>
Replace variable name objCell in all references to objCell.CELL_TYPE_[type_name] with variable name created in step 1. Example:
<cfif (objCellType EQ jCell.CELL_TYPE_NUMERIC)>
I am trying to set a variable dynamically into a structure via CFLOOP. I have read Ben Nadal's blog post but cant seem to get the assignment correct. I would like to use dot notation and make the VIN a sub structure of values.
Here is my code:
<cfloop query="VINs">
<cfquery name="carsQue" datasource="carsData">
SELECT VIN, MODEL, MAKE, etc
FROM CarsDB
WHERE (VIN = #VIN#)
</cfquery>
<cfset carsStruct= StructNew()>
<cfset carsStruct.[VIN].MAKE = '#carsQue.MODEL#'>
<cfset carsStruct.[VIN].MODEL = '#carsQue.MAKE#'>
</cfloop>
Any guidance would be greatly appreciated,
Thanks
Running a query inside a loop is almost always a bad idea. In your case, a better option would be:
<cfif ListLen(valuelist(vins.vin)) gt 0>
<cfquery name=CarsQue datasource = "carsData">
select vin, model, make, etc
from carsDB
where vin in (<cfqueryparam cfsqltype="cf_sql_varchar"
value="#valuelist(vins.vin)#" list="true">)
</cfquery>
<cfset carsStruct = StructNew()>
<cfloop query="carsQue">
code for your struct
</cfloop>
<cfelse>
code for vins query returning no data
</cfif>
Better yet would be to get all the data with one query. You didn't provide enough information to determine if this was possible, but it often is.
Create a structure outside loop and and setting variable within loop can solve the problem. in a current scenario each time loop run its create a new structure.
you can do some thing like this
<cfset carsStruct= StructNew()>
<cfloop query="VINs">
<cfquery name="carsQue" datasource="carsData">
SELECT VIN, MODEL, MAKE, etc
FROM CarsDB
WHERE VIN = <cfqueryparam cf_sql_type="cf_sql_varchar" value="#VINs.VIN#">
</cfquery>
<cfset carsStruct[VINs.VIN].MAKE = carsQue.MODEL>
<cfset carsStruct[VINs.VIN].MODEL = carsQue.MAKE>
</cfloop>
Based on the limited information you've given you should be able to run one query and loop through that to add to your struct.
<cfset carsStruct= {}> //new struct
<cfif VINs.RecordCount> //your VINs query has records
<cfquery name="carsQueue" datasource="carsData">
SELECT VIN, MODEL, MAKE, etc
FROM CarsDB
// Quoted list of all your VINs. cfqueryparam prevents against SQL injection
WHERE VIN IN (<cfqueryparam cf_sql_type="cf_sql_varchar" value="#ValueList(VINs.VIN)#" list="true">
</cfquery>
<cfloop query="carsQueue">
<cfset carsStruct.[carsQueue.VIN].MAKE = carsQueue.MODEL>
<cfset carsStruct.[carsQueue.VIN].MODEL = carsQueue.MAKE>
</cfloop>
<cfelse>
// if VINs query return nothing a blank struct will be returned.
//You do NOT need this <cfelse> unless you are returning something when the query is blank
</cfif>
I am trying to write a function for a survey where it pulls questions from a database. The catch is that there are both active and unactive questions. I need older questions to show up when someone views the results from an old survey.
Here is the code I am trying within a CFC:
<cffunction name="getAllQuestions" access="public" returntype="query">
<cfargument name="survey" default=0>
<cfif len(#survey#) gt 0>
<cfquery name="getsdate" datasource="blah.database">
select * from past_survey
where survey_id = #survey#
</cfquery>
<cfreturn getsdate>
</cfif>
<cfquery name="getquestions" datasource="blah.database">
select * from pool_questions
<cfif len(#survey#) eq 0>
where active_flag='Y'
<cfelse>
where <cfqueryparam value="#dateformat
(getsdate.survey_date, "yyyy/mm/dd")#"> BETWEEN start_date AND
end_date
</cfif>
order by qtn_nb
</cfquery>
<cfreturn getquestions>
</cffunction>
#survey# is the survey id which is generated by the form. What I am trying to do is that if survey has a value to run query getsdate. Then the second query would run no matter if survey has a value or not. If there is not value it should pull all active questions. If there is a value then it should check if the survey date is between the start date and end date for past questions.
Any advice on how to make this work would be greatly appreciated. Thank you in advance!
<cffunction name="getAllQuestions" access="public" returntype="struct">
<cfargument name="survey" required="true" default="0" type="numeric">
<cfset var qryReturn = ""> <!---Always var scope your variables to prevent them from leaking to other functions --->
<cfset var structReturn = structNew()>
<cfset structReturn.pastSurvey = "">
<cfset structReturn.surveyQuestions = "">
<cfif survey GT 0>
<cfquery name="qryReturn" datasource="blah.database">
SELECT *
FROM past_survey
<!--- Always cfqueryparam to prevent SQL injection attacks & also always reference the scope to prevent confusion --->
WHERE survey_id = <cfqueryparam cfsqltype="cf_sql_integer" value="#arguments.survey#">
</cfquery>
<cfset structReturn.pastSurvey = qryReturn>
<cfelse>
<cfquery name="qryReturn" datasource="blah.database">
SELECT *
FROM pool_questions
<cfif arguments.survey EQ 0>
WHERE active_flag = 'Y'
<cfelse>
WHERE <cfqueryparam value="#dateformat
(getsdate.survey_date, "yyyy/mm/dd")#"> BETWEEN start_date AND
end_date
</cfif>
ORDER BY qtn_nb
</cfquery>
<cfset structReturn.surveyQuestions = qryReturn>
</cfif>
<cfreturn structReturn>
</cffunction>
You probably should be doing this in two separate functions, but I will attempt to answer your question.
My code will return a struct of queries (you can change to an array if you prefer) that returns a past survey and the survey questions
Note: In your example code, you have a few bad practices.
You are checking the length of the survey value rather than checking the value itself.
If you want to ensure that survey always has a value regardless of if it is passed or not, set requried=true and give it a default value.
Use cfqueryparam to prevent sql injection attacks
Any variables created in the function need to be var scoped to prevent them from leaking to other cffunctions in the same cfcomponent. I always do this at the top. Yes, even the name you give a cfquery needs to be var scoped.
Since you are doing a return after your first query, if the survey value is greater than 0 it will never get to the second query where it has the date check.
I see the following problems you need to address.
First, your survey argument has a default value of 0 and you are doing conditional logic on the length of it. The length of "0" is 1, so that condition will always return true.
Next, you state that you want the 2nd query to run whether the first one runs or not, but you refer to a value from the 1st query in the 2nd one. That means if the 1st query does not run, the 2nd one will crash due to an undefined variable.
Next, dateformat returns a string. Applying it the way you do in the 2nd query is at best unnecessary, and at worse, and indication that you are storing the start and end dates in pool_questions as strings. If you are attempting to strip out the time portion of the datefield in the first query, ColdFusion has a cast() function for that.
Also, scope your variables. ie - instead of <cfif len(survey), do this <cfif len(arguments.survey).
Also, var your local variables. In this case, it's the names of your two queries.
That should get you started.
If a series of queries are created like so:
<cfloop list="#platform_list#" index="x">
<cfquery name="#trim(x)#" dbtype="query">
<!--- stuff to build the query --->
</cfquery>
</cfloop>
and I then return the queries in a struct like so:
<cfset queries_RET = StructNew() />
<cfloop list="#platform_list#" index="x">
<cfif StructKeyExists(args, #trim(x)#)>
<!--- here's where I think things go horribly wrong --->
<cfset queries_RET[x] = #x# />
</cfif>
</cfloop>
<cfreturn queries_RET />
And then when returned to the calling function as "graphData", I try to access it like so:
<cfloop list="#platform_list#" index="x">
<cfif StructKeyExists(url, x) and StructKeyExists(graphData, x)>
<cfloop query="graphData[x]">
I get an error at the last line:
Attribute validation error for tag cfloop.
The value of the attribute query, which is currently graphData[x], is invalid.
The value of the struct at graphData[x] is a string having the same value as the element name... so what do I do to assign the query with that name instead? I'm sure it's ridiculously obvious. :(
EDIT:
I'll give the answer to Shawn, although I finally figured out what my underlying issue(s) are. First, I didn't realize that
<cfset queries_RET[x] = #x# />
doesn't actually assign the query to the element at x, but instead a reference to it. To assign the actual query object, I need to do this:
<cfset queries_RET[x] = #Evaluate(x)# />
Second, when the struct is returned to the calling function, calling
<cfloop list="#Application.platform_list#" index="x">
<cfloop query="#graphData[x]#">
didn't work because the query attribute of cfloop is looking for a reference to a query object --- and the query object it was looking for didn't exist since it hadn't been returned.
Finally, now that I am actually returning a valid query object, that query attribute still doesn't work, because now graphData[x] isn't a reference. To make it work, I have to first assign a reference, and use that as the query attribute in the cfloop:
<cfloop list="#Application.platform_list#" index="x">
<cfset thisQuery = #graphData[x]#>
<cfloop query="thisQuery">
I think that my fundamental problem was not understanding the the query attribute isn't an actual query object, but a reference to one instead. It's been a learning curve!
Try
<cfloop list="#platform_list#" index="x">
<cfif StructKeyExists(url, x) and StructKeyExists(graphData, url[x])>
<cfset q = graphData[x]>
<cfloop query="q">
If this throws
The value of the attribute query, which is currently q, is invalid
Then you should cfdump the q make sure it is a query object.
The <CFLOOP> query attribute takes the name of a query (string), not an actual query object.
When you pass something into that attribute, CF expects it to be a string.
If it's a literal, CF will expect it to be the name of a valid query.
If it's a variable, CF will expect the value of the variable to be equal to the name of the query.
Therefore, the output you ultimately want is:
<cfloop list="#platform_list#" index="x">
<cfloop query="#x#">
Here is a full snippet of code that confirms this, which you may refer to/compare to for your own code:
<cfset query_a = QueryNew('id,name,pass') />
<cfset QueryAddRow(query_a)>
<cfset QuerySetCell(query_a,'id',1)>
<cfset QuerySetCell(query_a,'name','joe')>
<cfset QuerySetCell(query_a,'pass','joe123')>
<cfset query_b = QueryNew('id,name,pass') />
<cfset QueryAddRow(query_b)>
<cfset QuerySetCell(query_b,'id',4)>
<cfset QuerySetCell(query_b,'name','pete')>
<cfset QuerySetCell(query_b,'pass','pete123')>
<cfset query_c = QueryNew('id,name,pass') />
<cfset QueryAddRow(query_c)>
<cfset QuerySetCell(query_c,'id',7)>
<cfset QuerySetCell(query_c,'name','frank')>
<cfset QuerySetCell(query_c,'pass','frank123')>
<cfset platform_list = 'query_a,query_b,query_c' />
<cfloop list="#platform_list#" index="x">
<cfloop query="#x#">
<cfoutput>#id# #name# #pass#</cfoutput><br/>
</cfloop>
</cfloop>
You'll notice in this snippet that if you change the query attribute back to "x" (rather than #x#) you'll produce the exact same error you are encountering now.
Why?
Answer: platform_list is a comma-delimited list of strings (which x becomes via the loop), not a comma-delimited list of Query objects.