I have a CFM Page where I call a Stored Procedure.
The page seems to be timing out due to the query taking too long to execute.
We have tried optimizing/tuning the SQL query, made Clustered and Non-Clustered Indices , but the query is still taking around 4 minutes to execute.
Now , the only way to solve this is to increase the Cold Fusion Timeout in the Front End.
But ,I have tried increasing the timeout by using the below snippet on the CFM page.
<cfsetting requestTimeOut="600">
But this is not working. The page keeps timing out after 120 seconds and throws the timeOut Error.
We have also tried to pass a URL parameter "requestTimeout=600" but still the page is getting timed out after 120 seconds.
Can you please suggest a solution to increase the TimeOut in ColdFusion other than the ways we have tried above.
Cfstoredproc has a timeout attribute you can use. Documentation is here.
Edit Starts Here
For MX7, try a cfquery tag
<cfquery timeout = something>
exec yourProcedure
#param1 = <cfqueryparam etc>
etc
</cfquery>
You can call a stored procedure using the cfquery tag instead of the Cfstoredproc tag. Below a simple example:
<cfquery name="qryName" datasource="#yourdatabase#">
call nameOfStoredProcedure( #yourvariables#);
</cfquery>
I use mysql as the back end database engine, i do not know if this also works with other database engines.
Related
Ok, I'm stumped, I have a CF11 web application that is failing a web application audit report for SQL injection, this report is made by Acunetix.
Anyways, the report gives me 10 pages on my site that is vulnerable to sql injection, but i checked the code , and I am in fact using cfqueryparam in each of these instances
example of one of the queries called by the handler
<cfquery datasource="#application.DSN#" name="qResult" result="r">
update #table# s
set s.loader_status = <cfqueryparam cfsqltype="cf_sql_varchar" value="#ucase(arguments.status)#">
<cfif isDefined("bio_loader_status") and bio_loader_status neq ''>
, s.bio_loader_status = <cfqueryparam cfsqltype="cf_sql_varchar" value="#ucase(bio_loader_status)#">
</cfif>
, s.session_id = NULL
, s.session_expiration = NULL
<cfif isDefined("arguments.rowid") and arguments.rowid neq ''>
where s.rowid = CHARTOROWID(<cfqueryparam cfsqltype="cf_sql_varchar" value="#arguments.rowid#">)
</cfif>
</cfquery>
everything I have read tells me that I am protected against sql attacks (using cfquery param, using datasurce and table variables, etc), yet the report claims otherwise
URL encoded GET input rowid was set to 1'"
Error message found: Error Executing Database Query
GET /index.cfm/status?rowid=1'%22&type=billing HTTP/1.1
can anyone shed some light on what I'm doing wrong? or is the report not correct in its assumptions?
Furthering Alex's assertion:
They want you to graciously handle the fact that rowid is not a number, they don't want to see the standard error message
My previous employer has regular penetration tests (pen tests) performed against their applications. The error messages output from CF will just render the strings of the attack on the screen. This is fine for non-production, non-QA environments where you need or want debugging information to display on screen. In production, you never want to tip your hand as to where the code tripped up.
The error message GET /index.cfm/status?rowid=1'%22&type=billing HTTP/1.1 tells the attacker which file and its path, along with a URL parameter that it can further attack. If this file was an include in your request stack and that file can be requested directly, you may then be open to further attacks. You need to catch this error and output a message.
If you have to be logged in to access this URL, that's one thing. A public URL shouldn't have any information specific to the problem. Don't output something like, The rowID must be an Integer or rowID is invalid. That will just cause more attacks. Invalid request is fine for a public URL error.
Now, to the case when <cfqueryparam> actually can't stop an injection attack. Some legacy stored procedures at my previous company use dynamic SQL. Much like in CF, strings would be concatenated inside the proc and the the SQL execute command would run the final SQL string. It is possible to pass an encoded string to <cfqueryparam> that will then get injected into the SQL string inside the proc as it is pieced together. For this, we had to update piles of old procs to validate string parameters, looking for certain strings to reject.
If possible, you should add a Web Application Firewall to your infrastructure. The Online ColdFusion Meetup Group is having a presentation on one software based WAF for CF applications tomorrow. I'm sure it will be recorded if you can't attend. I just last night finished moving my current CF site to AWS, where we made sure to add their WAF to our stack for security. This doesn't mean that we don't need to properly catch errors and show appropriate messages, but it does tend to lighten the load when you can have it reject known attack vectors before the request even gets to the application server.
The query returns only 4-5 rows. It takes less than 1 second to execute. I have trid increasing the timeout of both cfquery and cfsetting but not working. most of the time code runs successfully but i got this error after every 20-30 request. I am using sql server database. I know when you restart the cf server or db server timeout issue occurs sometimes but this error is comming without restarting of any service (cf or sql server). I think there should be some setting changes in cf server please suggest.
The request has exceeded the allowable time limit Tag: CFQUERY
The error occurred on line 180.
<CFQUERY NAME="Sections" DATASOURCE="abcd">
SELECT * FROM News_Sections where Section = 'Home' ORDER BY Page_order
</CFQUERY>
The likely problem here is going to be the database not ColdFusion. I have a couple of tips for you. First, using the MSSQL Activity Monitor check out blocks (as a wait type). If you see a block or a "head blocker" click on that item and it will show you the query (sometimes :).
Once you locate it, fixing the problem will involve indexing or changing the query (complex joins or sub-queries often have unexpected consequences).
You might have some luck using "WITH(nolock)" in the above query to allow for a dirty read (probably ok if you are just getting categories). You might also consider caching the above query using cachedwithin or placing it in the application scope. If it is just broad "home" categories that seems reasonable to me (though obviously I don't know your schema.
My final bit of advice is to examine the page on which the error takes place closely. Sometimes the line number is off a bit. If you have groups of queries together it may not be the query you think is erroring out but the one above it. It's not common but it can happen.
As was pointed out by Mr. Bracuk, this may not be a problem with your query. This error has to do with the setting in the CFAdmin for Request timeouts. It is the page that is loading that has experienced the timeout and thrown the error. When the timeout occurred it just happened to be processing your query.
So, while the query is a good place to start looking, make sure to examine the entire script when searching for the cause of the timeout.
My function running query, its taking sometime depending on requested data. While query running, I want to show real query loading cfprogressbar & changing status/title while cfprogressbar doing progress. im still searching on google till now no luck all examples showing static time.
I was thinking if i can get real cfquery loading time & i'll pass that value to cfprogressbar. Please advise
coldfusion 11
windows 2012
cfprogressbar
cfquery
Unfortunately you can't show an accurate progress bar. The ColdFusion engine does not run your query, the database server runs your query and for that reason the ColdFusion engine does not know where your db server is at while running the query. You can show a 'spinner' if you want to let your user know that something is going on.
Does anyone have an example of ColdFusion working with neo4j (or some other graph db)?
The common practice is to have an application service connect to a db. In CF it looks like the code below. One can then output the data.
<cfquery...>
select * from tbl where x=y
</cfquery>
What I'm looking for is a way to connect to and 'consume' graph data, such that I can feed it to a UI that displays the graph connections.
I am currently at step 1. How do I connect to a db (I'm liking neo4j) so I can pass a query and get something back. Ideally something like:
<cfquery ... >
MATCH (node)
RETURN node.propertyA, node.propertyB
</cfquery>
Is it even possible?
I would use CFHTTP and use Neo4j's REST endpoint to query Neo4j.
http://neo4j.com/docs/stable/rest-api-cypher.html
Coldfusion has a system created client variable called lastvisit.
Is there a way to get the value of that variable during the request that it is actually set (i.e. client.thisvisit)?
The idea would be that I can store the "ThisVisit" timestamp in session and then compare it to lastvisit when the next request is made. This would tell me if another request was made in the session.
The purpose is that we have a page that we use an ajax record lock on which refreshes the lock every minute. After sixty minutes the ajax lock code will automatically log the user out of the website (due to inactivity). The issue arises where the user is executing tasks in other windows/tabs (indication of activity).
Sense all requests update LastVisit, I would like to have the ajax lock code save the save a "thisvisit" value so that the next time it runs it can compare it to the LastVisit client variable.
A couple requirements:
Set up to use a DB rather than registry for your client vars (trust
me).
Client vars have to have "global variables" enabled
Your cfapplication or application.cfc has to have client management enabled.
If you have those three things you can select a query like the following:
<cfquery name="getLvisit" datasource="myClientVarsDB">
SELECT lvist
FROM cglobal
WHERE cfid =
<cfqueryparam type="CF_SQL_CHAR" value="#urltoken#"/>
</cfquery>
urltoken might be wrong... it may need the jsessionID or CFID but my memory tells me cftoken. I'd have to hunt down a site using Client DBs to give you a definitive answer.
So that would give you the current value of the lvisit variable. you would store this in the session and then compare it against the value from the table on subsequent queries before you overwrite it again (if that makes sense).
Note - this value is updated on each request - so your query get's the current value (before it has been updated). I previously thought this it was updated first but according to Tom it's actually updated last.