I am working on a software where I cannot create a new member (ie person) with special characters in the surname. For example, the surname cannot be "O'Connor", because it contains a special character. But that type of surname can be added in database directly.
I am using ColdFusion and PostgreSQL 9.3. It works by removing the "cleantrim" function before surname in coding, but it is a temporary solution. Can anyone help me how we can do it?
'#Call.tSurName#',
'#TrimCleanValue(Call.tFirstName)#',
'#TrimCleanValue(CAll.tMiddleName)#',
'#TrimCleanValue(Call.tPReferredName)#',
'#TrimCleanValue(Call.tScoutingName)#',
'#TrimCleanValue(Call.tPostNominal)#',
'#Call.tTitle#',
You should be using cfqueryparam for all database inserts. Especially something coming from the client. Not only does cfqueryparam help prevent SQL injection it also escapes quotes and can help make your queries faster.
<cfqueryparam cfsqltype="cf_sql_varchar" value="#Call.tSurName#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#Call.tFirstName#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#Call.tMiddleName">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#Call.tPReferredName">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#Call.tScoutingName">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#Call.tPostNominal">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#Call.tTitle">
Related
I am using ColdFusion 10 Update 23 with MySQL database.
When I make a change to a script where I am using cfqueryparm the script causes this error message: "The type for attribute value of tag queryparam could not be determined."
This script works perfectly:
<cfquery name="i" datasource="tasktrack">
UPDATE qa_commitments
SET
commit_division = <cfqueryparam cfsqltype='cf_sql_integer' value='#trim(commit_division)#'/>,
commit_source = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(commit_source))#'/>,
commit_title = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(commit_title))#'/>,
commit_responsibility = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(commit_responsibility))#'/>,
<cfif Len(commit_cause)>commit_cause = <cfqueryparam cfsqltype='cf_sql_varchar' value='#commit_cause#'/>
<cfelse>commit_cause = NULL</cfif>,
commit_comments = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(PreserveSingleQuotes(commit_comments)))#'/>,
commit_issue_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_issue_date#'/>,
commit_response_due_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_response_due_date#'/>,
commit_response_compl_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_response_compl_date#'/>,
commit_action_due_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_action_due_date#'/>
<cfif IsDefined('commit_closeing_date')> ,commit_closeing_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_closeing_date#'/></cfif>
WHERE ID = #id#
If I open the script and add anything (i.e, a return, a tab, a comment), save the script I get the above error. If I restore the script from a older version it works fine again. I open the older one insert a line break w/enter key, save it and then it breaks again.
The really weird part is if I remove the cfqueryparam tags completely the script works again.
This happens on every script where I am using this tag.
The last update to CF was April 2017 and there are several scripts newer that work unless I edit them.
I have tried different editors with the same results.
I have googled my butt off with no results.
Can someone please point me in the right direction?
I can't tell you why it is broke, but I can tell you how I would fix it.
Putting <cfif>s inside of queries makes it so that the DB engine cannot cache the query. So I would move them out, and out the conditional logic within the query.
<cfquery name="i" datasource="tasktrack">
DECLARE #commit_clause varchar(40) = <cfqueryparam cfsqltype='cf_sql_varchar' value='#commit_cause#' null="#IIF(len(commit_clause)1, 0)#"/>
DECLARE #commit_closeing_date date = cfqueryparam cfsqltype='cf_sql_date' value='#commit_closeing_date#' null="#IIF(isDefined(Commit_closeing_date), 0, 1)#"/>.
UPDATE qa_commitments
SET
commit_division = <cfqueryparam cfsqltype='cf_sql_integer' value='#trim(commit_division)#'/>,
commit_source = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(commit_source))#'/>,
commit_title = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(commit_title))#'/>,
commit_responsibility = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(commit_responsibility))#'/>,
commit_cause = #commit_clause,
commit_comments = <cfqueryparam cfsqltype='cf_sql_varchar' value='#ucase(trim(PreserveSingleQuotes(commit_comments)))#'/>,
commit_issue_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_issue_date#'/>,
commit_response_due_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_response_due_date#'/>,
commit_response_compl_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_response_compl_date#'/>,
commit_action_due_date = <cfqueryparam cfsqltype='cf_sql_date' value='#commit_action_due_date#'/>,
commit_closeing_date = #commit_closeing_date
WHERE ID = #id# /* I would fix this too */
</cfquery>
Off topic
I would consider using Entities. I really don't like writing this stuff over and over.
I found the problem and the problem was McAfee scriptscan. I had IT guys turn it off and now the script works. IT is blaming it on the old version of Windows Server 2008 and it having a problem with McAfee Enterprise. Thanks for all the help. It really does help just to have someone to walk you through things.
I have few variables that contain multiple values. Basically I want to store all the values into my database. I am using this code which I got here in Stackoverflow.
<cfquery datasource="databaseName">
INSERT INTO spreadsheet
([Local.Time.Stamp],
[Energy.Delivered..kVAh.],
[Energy.Received..kVAh.],
[Energy.Received..kVARh.],
[Energy.Delivered..kVARh.],
[Real.A..kW.],
[Real.B..kW.])
VALUES
(<cfloop query="excelquery">
'#excelquery.col_1#',
'#excelquery.col_2#',
'#excelquery.col_3#',
'#excelquery.col_4#',
'#excelquery.col_5#',
'#excelquery.col_6#',
'#excelquery.col_7#'
</cfloop>)
</cfquery>
However I always get a syntax error. I believe that my cfloop part is wrong, can someone please tell me the correct way for me to write that cfloop?
The problem is with the generated query not cfloop i.e., for entering multiple values the format should be like this:
INSERT INTO TableName (col,col,...) VALUES (val,val,...),(val,val,...),...
Also, use cfqueryparam to avoid sql injection.
You can try this:
<cfquery datasource="databaseName">
INSERT INTO spreadsheet
([Local.Time.Stamp],
[Energy.Delivered..kVAh.],
[Energy.Received..kVAh.],
[Energy.Received..kVARh.],
[Energy.Delivered..kVARh.],
[Real.A..kW.],
[Real.B..kW.])
VALUES
<cfloop query="excelquery">
<!--- cf_sql_varchar is just an example. --->
(<cfqueryparam cfsqltype="cf_sql_varchar" value="#excelquery.col_1#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#excelquery.col_2#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#excelquery.col_3#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#excelquery.col_4#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#excelquery.col_5#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#excelquery.col_6#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#excelquery.col_7#">)
#excelQuery.currentRow NEQ excelQuery.recordCount ? ',': ''#
</cfloop>
</cfquery>
You might have to add a recordCount check before generating the query to avoid errors for no records.
I ran an application scan (IBM) recently and now I'm trying to fix the issues that came up. A good majority of my issues stem from a cfquery (see below). I'm trying to get it so that Stored XSS and SQL injections issues don't show up on my scans. Any help would be greatly appreciated, as this is my first time doing something of the sort.
Thanks!
<cfquery name="enter_question" datasource="#dsn#">
INSERT INTO xx_questions(q_id,
q_name,
q_narrative,
q_used,
q_type)
VALUES( #variables.new_q_id#,
'#form.q_name#',
'#form.q_narrative#',
'n',
#form.q_type#)
</cfquery>
Each query that contains user inputs should have cfqueryparam like so:
<cfquery name="enter_question" datasource="#dsn#">
INSERT INTO xx_questions(q_id,
q_name,
q_narrative,
q_used,
q_type)
VALUES(
<cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#variables.new_q_id#"/>,
<cfqueryparam cfsqltype="CF_SQL_CHAR" value="#form.q_name#"/>,
<cfqueryparam cfsqltype="CF_SQL_CHAR" value="#form.q_narrative#"/>,
<cfqueryparam cfsqltype="CF_SQL_CHAR" value="n"/>,
<cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#form.q_type#"/>)
</cfquery>
The cfsqltype will need to reflect the data type in the xx_questions table for the cooresponding column - but you get the idea.
Binding the variable to a type in this manner automatically protects you against SQLi injection. XSS injection is something else. That's when user input is output onto the page. If a user pushes something (say a script tag) into a column in the DB and then it is output onto the page you haven't really suffered from injection (they gave you a character column, you put in a character column, they did not change the nature of the query). But in a forum app or any other area where user input from one user is shown to another you have the potential for malicious code infections.
For that each of your character types needs to be vetted for malicious code. Using something like Foundeo as a Web application Firewall can do this. You can also protect your page at a server level using the CF admin or at an application level using the scriptprotect attribute of the cfapplication tag or props in the application.cfc.
You can also manually protect within your DB inserts using HTMLEditformat like so:
<cfqueryparam cfsqltype="CF_SQL_CHAR" value="#htmleditformat(form.q_narrative)#"/>,
... or you can check each user input against a list of known allowed inputs (if the data is predictable). These techniques should be part of your "best practice" list if possible. :)
You need to use <cfqueryparam>. Check the documentation at: https://wikidocs.adobe.com/wiki/display/coldfusionen/cfqueryparam
Try something like this (you should change the CFSQLType to match whatever your DB columns are):
<cfquery name="enter_question" datasource="#dsn#">
INSERT INTO xx_questions(q_id,
q_name,
q_narrative,
q_used,
q_type)
VALUES(
<cfqueryparam value="#variables.new_q_id#" CFSQLType="CF_SQL_INTEGER">,
<cfqueryparam value="#form.q_name#" CFSQLType="CF_SQL_VARCHAR">,
<cfqueryparam value="#form.q_narrative#" CFSQLType="CF_SQL_VARCHAR">,
<cfqueryparam value="n" CFSQLType="CF_SQL_CHAR">,
<cfqueryparam value="#form.q_type#" CFSQLType="CF_SQL_INTEGER">
)
</cfquery>
I have the following cfquery:
<cfquery name="CQuery" datasource="XX.X.X.XXX">
INSERT INTO DatabaseName
(PhoneNumber_vch,
Company_vch,
date_dt)
VALUES(#PhoneNumber#,
#Company#,
#Date# )
</cfquery>
There are null values in case Company name doesnt' exist and I believe becasue of that Iam getting the following error:
Error Executing Database Query.
[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near ','.
The comma , pointed in the error message is after #Company# field. Please let me know is it's because of null values and best approach to fix it?
The values in the PhoneNumber, company and Date are extracted from a XML SOAP response with proper usage of trim function as discussed in my previous post.
Using cfif in coldfusion
Thanks
If you use CFQueryParam like you should on any database SQL that accepts dynamic parameters you can kill two birds with one stone. First and most important, prevent SQL Injection Attacks and second you can use the attribute of the null="" to insert a NULL value into your record.
<cfquery name="CQuery" datasource="XX.X.X.XXX">
INSERT INTO DatabaseName (PhoneNumber_vch, Company_vch, date_dt)
VALUES(
<cfqueryparam cfsqltype="cf_sql_varchar" value="#trim(PhoneNumber)#" null="#NOT len(trim(PhoneNumber))#" />
,<cfqueryparam cfsqltype="cf_sql_varchar" value="#trim(Company)#" null="#NOT len(trim(Company))#" />
,<cfqueryparam cfsqltype="cf_sql_timestamp" value="#Date#" null="#NOT len(trim(Date))#" />
)
</cfquery>
You will want to use <cfqueryparam> to take care of nulls (and injection attacks)
Try
<cfquery name="CQuery" datasource="XX.X.X.XXX">
INSERT INTO DatabaseName
(PhoneNumber_vch,
Company_vch,
date_dt)
VALUES(
<cfqueryparam value = "#PhoneNumber#" cfsqltype = "CF_SQL_VARCHAR">,
<cfqueryparam value = "#Company#" cfsqltype = "CF_SQL_VARCHAR"
null = "#IIF(Company EQ "", 1, 0)#">,
<cfqueryparam value = "#Date#" cfsqltype = "CF_SQL_TimeStamp"
null = "#IIF(Date EQ "", 1, 0)#" >
)
</cfquery>
Also see: cfqueryparam
You either need to qualify your varchar entries (surround all varchar entries with single quotes, or, better would be change them to cfqueryparams;
<cfquery name="CQuery" datasource="XX.X.X.XXX">
INSERT INTO DatabaseName
(PhoneNumber_vch,
Company_vch,
date_dt)
VALUES(<cfqueryparam value="#PhoneNumber#" cfsqltype="CF_SQL_VARCHAR">,
<cfqueryparam value="#Company#" cfsqltype="CF_SQL_VARCHAR">,
<cfqueryparam value="#Date#" cfsqltype="CF_SQL_TIMESTAMP"> )
</cfquery>
It has recently been mentioned to be that our method of inserting data into our SQL database via form submission is subject to SQL injection attacks, and want some advice to harden our security.
Here's the code that inserts form data into the DB:
<cfquery name="InsRegistrant" datasource="#application.Datasource#" dbtype="odbc">
INSERT INTO Schedule_Registrations(
schedule_id,
first_name,
last_name,
phone_number,
email,
guest,
list_type,
datetime_registered
)
VALUES(
#url.schedule_id#,
'#FORM.first_name#',
'#FORM.last_name#',
'#CleanPhoneNumber#',
'#FORM.email#',
#attendee.guest#,
<!--- Values for list types
0 = NEVER USE Will cause many many problems
1 = Main List
2 = Waiting List --->
#attendee.list_type#,
#createodbcdatetime(now())#
)
</cfquery>
CleanPhoneNumber is set this way:
<cfset CleanPhoneNumber = REReplace(form.phone_number, "[^0-9]", "", "ALL") />
I've been told to use, for instance,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#form.phone_number#" />
but I'm not sure what to replace and where. When I replace the values with such I get an error.
Any direction would be helpful..
You should wrap all form and url variables in cfqueryparam
Your query would look like this:
<cfquery name="InsRegistrant" datasource="#application.Datasource#" dbtype="odbc">
INSERT INTO Schedule_Registrations(
schedule_id,
first_name,
last_name,
phone_number,
email,
guest,
list_type,
datetime_registered
)
VALUES(
<cfqueryparam cfsqltype="cf_sql_integer" value="#url.schedule_id#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.first_name#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.last_name#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#CleanPhoneNumber#">,
<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.email#">,
<cfqueryparam cfsqltype="cf_sql_integer" value="#attendee.guest#">,
<!--- Values for list types
0 = NEVER USE Will cause many many problems
1 = Main List
2 = Waiting List --->
<cfqueryparam cfsqltype="cf_sql_integer" value="#attendee.list_type#">,
#createodbcdatetime(now())#
)
</cfquery>
I'm not sure I got all the data types correct, see the full documentation of cfqueryparam for all the data types.
There are several good practices you can do.
For the insert code you have provided one of the things you can do is explicitly check the input of the Form Fields before inserting the data.Check for things like spaces and "'". You also want to ensure that the user does not see your error messages from bad data entered. This is useful to somebody wanting to know your table structure.
Otherwise place the insert in a stored procedure and validate the input parameters before calling the stored procedure for the insert or update.
Here is a good list of things you can do to prevent SQL injection attacks. It is related to asp.net but the concepts still apply no matter what language you are using.
How To: Protect From Injection Attacks in ASP.NET