ColdFusion Query attribute repetition - coldfusion

I'm developing a basic ColdFusion application for a class and cannot control the CFAdmin.
I was wondering if there was a way to avoid the repetition of the attributes datasource, username and password in each one of my queries, since they're always the same.
Replacing :
<cfquery name="name"
datasource="datasource"
username="username"
password="password">
By :
<cfquery name="name">
Thanks!

If you're using ColdFusion 9.01 or higher you can set these values within Application.cfc. In summary:
Application.cfc lets you specify data source authentication details
for the data source. The data source settings can now be a string or a
struct. When string, it is considered to be the data source name and
authentication information is taken from the data source defined in
the ColdFusion Administrator.
You can specify the authentication information using a struct value
for data source. The following are the key names:
name: data source name
username: Username for the data source
password: Password for the data source
Example:
<cfset this.datasource={name='cfartgallery'
, username="user"
, password="passwd"}>
or
<cfset this.datasource="cfartgallery">

Related

Change filename of attachments on Coldfusion

I'm using cfmailparam to attach files to an email. I'm getting the filenames and paths from my database. Normally, the attached files have unique names, but I can get their original filenames by querying the following columns in a database table:
ASSET_FILE_NAME: unique name
ASSET_REAL_NAME: original_name_before_upload.pdf
When I send the e-mail with cfmail, the attachments still use the unique names, but I really need to rename them. I've searched and tried also:
<cfloop from="1" to="#assetfiles.RecordCount#" index="i">
<cfmailparam
file="C:\files\#assetfiles.ASSET_FILE_NAME[i]#"
type="application/pdf"
disposition="attachment; filename=""#assetfiles.ASSET_REAL_NAME[i]#"""
/>
</cfloop>
But this is not working for all attachment files. It changes just 1 filename and the other ones still use the unique names.
Is there anyway to make this possible?
There are a few ways you could do this
You could rename the files themselves
Create duplicates and then use the remove="true" attribute of cfmailparam
Read the files with the odd names and attach them with a new name <cfmailparam file="niceName.pdf" content="#fileRead(oddName.pdf)#">

Duplicating and Renaming a file and storing name in Database

I have a register page that asks for information like employee_number, user_name, user_pass, firstname, lastname, position, email, phone_extension, department, picture. Once they fill this information out and they hit register it all gets uploaded into a database.
Is it possible to have it create a profile page specific to that user based on the information in the database?
For example, if I registered to have it create DavidBriertonProfile.cfm from my template Profile.cfm and have it add DavidBriertonProfile.cfm in the database so I can use that name to reference later. But is it possible to take my template Profile.cfm and rename it based on there name and have it added to profiles/(TherenameProfile).cfm
I have been playing with cffile in order to create a path but I need it to be behind the scenes selecting my template file where the user never sees any of this.
<cffile
action = "upload"
file = "#expandPath("/webapps/dash/profiles/profile.cfm")#"
destination = "#expandPath("/webapps/dash/profiles/")#"
nameConflict = "MakeUnique"
result = "myfile"
/>
There are two primary options
Create a static file from a coldfusion template...
<cfsavecontent variable="filecontent">
<cfinclude template="profile.cfm" />
</cfsavecontent>
<cffile action="write" file="profiles/#FirstNameLastName#Profile.html" output="#filecontent#" />
<!--- it looks like the "nameconflict" option is only available for upload action so will have to deal with that --->
Create a file just for setting the userid and including profile.cfm
<cffile action="write"
file="profiles/#FirstNameLastName#.cfm"
output="<cfset userid ='#UserID' /><cfinclude template='../profile.cfm' />"
/>
Some other options include
Save the name of the unique cfm file you would create (ex: DavidSmith12Profile) but don't actually create it and instead use the OnMissingTemplate function in Application.cfc to take the name supplied and perform a database lookup and then show the profile result
Peform a URL rewrite on the webserver to transform any request to paths of format /profiles/(.+) to /profile.cfm?filename={\1} and then do a database lookup by the filename directly in profile.cfm
enjoy

CFWheels: Map table to another database Database.tablename

I have a datasource called "cforms" which has access to two database
"cforms" and "cquizes"
I wish to create the following query:
select * from cquizes.tb_depts;
I have a model for table "tb_depts":
<cfcomponent extends="Model">
<cffunction name="init">
<cfset table("tb_depts")>
</cffunction>
</cfcomponent>
And my controller:
list = model("tb_depts").findAll(order="id");
When I run this controller/action. It gives me the following error:
[Macromedia][Oracle JDBC Driver][Oracle]ORA-00942: table or view does not exist
And it generates the following query:
SELECT * FROM tb_depts
I understand what the problem is because since "tb_depts" doesn't exist in database "cforms" it throws that not found error. However is there are way to tell the model that using the datasource "cforms" access database "cquizes". For example
cquizes.tb_depts
Its seems to use the database that matches the datasource name. Is there a way to work around this functionality.
If you need to get data from another database, There is an alternative way. For that you need to create a datasource for your second database cquizes. Then use that datasource name in the model file. This will override default datasource for that model.
For example, If you name your second datasource as cquizdatasource then in your model would be like
<cfcomponent extends="Model">
<cffunction name="init">
<cfset dataSource("cquizdatasource")>
<cfset table("tb_depts")>
</cffunction>
</cfcomponent>
Your query should work fine with the said scenario in the question. There are limitations to this, check out the link to know more.

Encoding E-Mail Addresses: EncodeForHTML or EncodeForURL

When a user registers on a site, should we use EncodeForHTML() or EncodeForURL() before storing the value in a DB?
The reason I ask this is that when I send an e-mail to someone that includes a URL that contains an email address as a URL variable, I have to use EncodeForURL(). But if this email address is already encoded using EncodeForHTML(), it will mean I have to Canonicalize() it before using EncodeForURL() on it again.
I would therefore think that EncodeForURL() is probably good, but is it 'safe' and 'correct' when storing the value in a database?
Update: Upon reading the docs it says that EncodeForURL is only for using a value in a URL. Thereofore it seems to make sense that I should store it as EncodedForHTML, but then Canonicalize and re-encode for URL when using it in a URL context. I don't know how much of a performance hit all this encoding is going to take on my server...??
Copying this from my company's internal documentation. Not sure if the images uploaded correctly since imagr is blocked # work. If so, I'll re-upload them later. I'll be publishing this and more related content to a Githib repo in the future.
You should store it as simple text, but make sure you scrub your data on the way in using an AntiSamy library. Once the data is safe, make sure to encode the data on the way out using the proper encoder. And FYI, there's a big difference between the output of encodeForHTML() and encodeForHTMLAttribute().
In the below examples, substitute the variables that define email addresses with data from the DB.
PROTIP: Don't use these encoders in CFFORM tags. Those tags take care of the encoding for you. CF 9 and below use HTMLEditFormat(), CF 10 and above most likely use encodeForHTMLAttribute().
Simple Implementation
A basic implementation is to include a single e-mail address in order to populate the "To" field of a new e-mail window.
CFML
<cfset email = "someone#example.com" />
E-mail
HTML Output
E-mail
CFML with Proper Encoding
<cfset email = "someone#example.com" />
E-mail
Encoded HTML Output
Notice that the "#" symbol is properly percent encoded as "%40".
E-mail
Results when clicked
And if you plan on showing the e-mail address on the page as part of the link:
<cfset email = "someone#example.com" />
#encodeForHTML(email)#
Attack Vector
An advanced implementation includes e-mail addresses for "To" & "CC". It can also pre-populate the body and subject of the new e-mail.
CFML without encoding
<cfset email = "someone#example.com" />
<cfset email_cc = "someone_else#example.com" />
<cfset subject = "This is the subject" />
<cfset body = "This is the body" />
E-mail
HTML Output
E-mail
Results when clicked
Notice that the subject and body parameters contain spaces. While this string will technically work, it is still prone to attack vectors.
Imagine the value of body is set by the result of a database query. This record has been "infected" by a malicious user and the default body message has an appended "BCC" address, so some evil user can get copies of e-mails sent via this link.
Infected Data
<cfset body = "This is the body&bcc=someone#evil.com" />
HTML Output
E-mail
Results when clicked
In order to stop this MAILTO link from being infected, this string needs to be properly encoded.
CFML with HTML Attribute Encoding
Since "href" is an attribute of the <a> tag, you might think to use the HTML Attribute encoder. This would be incorrect.
<cfset email = "someone#example.com" />
<cfset email_cc = "someone_else#example.com" />
<cfset subject = "This is the subject" />
<cfset body = "This is the body&bcc=someone#evil.com" />
E-mail
HTML Output
E-mail
Results when clicked
CFML with URL Encoding
The correct encoding of a MAILTO link is done with the URL encoder.
<cfset email = "someone#example.com" />
<cfset email_cc = "someone_else#example.com" />
<cfset subject = "This is the subject" />
<cfset body = "This is the body&bcc=someone#evil.com" />
E-mail
HTML Output with Correct Encoding
Notice these things about the URL encoder:
Each space (" ") is converted to a plus sign ("+") instead of its expected percent value ("%20").
Encoding is otherwise done using percent ("%") values.
Since the individual query paramters are encoded, the ampersands ("&") connecting each paramter were not encoded.
When the "body" paramter is encoded, it includes the "&body=" string that was maliciously injected. This entire string is now part of the message body, which prevents the unintended "bcc" of the e-mail.
E-mail
Results when clicked
What's with the plus signs? It is up to the individual mail client (e.g. Outlook, GMail, etc.) to correctly decode these URL encoded values.
Store the email addresses in plain text, then encode them when you use them, depending on the context. If it's going to be a part of URL, use EncodeForURL(). If it's going to be displayed in HTML as text, use EncodeForHtml().

How can I tell if a user belongs to an role in active directory - using ColdFusion

If I am using integration authentication in IIS, how can I determine if the current user is part of a specific active directory role, using ColdFusion.
This would be analogous to using the IsInRole() method of the User object in .net - how can it be done in ColdFusion
the only way to do this is to use cflap and query the active directory server to get a list of groups. after you've gotten the list, you will need to parse it to see if that user belongs to the group in question. below is some code i wrote with some comments for the people at work. values have been changed to protect the innocent.
<!--- getting the user login id --->
<cfset variables.thisuser = ListLast(cgi.AUTH_USER, "\")>
<!--- this is the group they must be a memberof --->
<cfset variables.groupname = "CN=<the group to search for>">
<!--- list of all groups that the user belongs to, will be populated later --->
<cfset variables.grouplist = "">
<cftry>
<cfldap action="query"
name="myldap"
attributes="memberOf"
start="OU=<your ou>,DC=<your dc>,DC=<your dc>"
scope="subtree"
filter="(sAMAccountName=#variables.thisuser#)"
server="<your AD server ip>"
port="<your AD server port>"
username="<network login if required>"
password="<network password if required>">
<cfset variables.grouplist = myldap.memberOf>
<cfcatch>
</cfcatch>
</cftry>
<cfif FindNoCase(variables.groupname, variables.grouplist)>
<cfcookie name="SecurityCookieName" value="">
</cfif>
In coldfusion to check a users role you would use IsUserInRole()
http://cfquickdocs.com/#IsUserInRole
Edit - And actually I hope I understood correctly, I don't know anything about IIS or active directory. As I understood the question you wanted to check a users role in Coldfusion.
I think you may be looking for something more like this: http://vincentcollins.wordpress.com/2008/08/20/active-directory-ldap-authentication/ or this: http://coldfusion.sys-con.com/node/154225
Just as a follow up, SQL server has ADSI providers that allow you to create a linked server to your LDAP servers.
From there you can do ldap queries to your AD and it returns like any other record set.
I find it a little easier to do complex ldap query then via CF.