Another way around the reserved word issue is to apply a naming convention to you SQL tables:
Update tblReports Set strPassword = 'myPw' Where intLoginID = 1 Cutter Tony Weeg wrote: >posimitively positive ;) > >but good lookin out!! > >tony > >-----Original Message----- >From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] >Sent: Monday, December 02, 2002 11:26 PM >To: CF-Talk >Subject: RE: shooting my server soon.... > > >As loooong as you are sure <G>. >-mk > >-----Original Message----- >From: Tony Weeg [mailto:[EMAIL PROTECTED]] >Sent: Sunday, December 02, 2001 10:18 PM >To: CF-Talk >Subject: RE: shooting my server soon.... > > >cf code u/p that is on a secondary page/step >that if you dont know the correct u/p will just >redirect you to the main page. im the only one with >access...and really, is just for testing...but >im the only one with access. > >trust me i get sick of explaining "pebkac" to clients >and give them only sooo much access. > >tony > >-----Original Message----- >From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] >Sent: Monday, December 02, 2002 11:15 PM >To: CF-Talk >Subject: RE: shooting my server soon.... > > >Are you speaking of an SQL server uname and pw? Or some form of login >that >you implement in your CF code? If it's SQL, then you can set up DB >permissions in a very granular way and your risk is less (though not >completely gone - if you are allowing update, insert or delete). If >not, >then you have the issue of raw SQL being passed to the SQL server. >Either >way, Unless you can be possitive that all the folks who are accessing >the >script are competent SQL writers - this is a great risk. What happens >(for >example) when someone puts in "update userTable SET fname = 'Bill' ", >but >they forget the where clause. Suddenly, all your users or named "Bill" ><ha>. >Sounds crazy - but do you remember the mistakes you use to make when you >first started writing SQL? Or what if they experiment with the >"truncate" >key word - or "Drop" or "create". The possiblities are endless - and >all >really scary <g>. > >-mk > >-----Original Message----- >From: Tony Weeg [mailto:[EMAIL PROTECTED]] >Sent: Sunday, December 02, 2001 10:04 PM >To: CF-Talk >Subject: RE: shooting my server soon.... > > >even with a username/password protecting it? >tony > >-----Original Message----- >From: Mark A. Kruger - CFG [mailto:[EMAIL PROTECTED]] >Sent: Monday, December 02, 2002 11:03 PM >To: CF-Talk >Subject: RE: shooting my server soon.... > > >bingo - if you have a string you are building that includes single >quotes, >you have to use the "preservesinglequotes( )" function. Otherwise you >would >get exactly this syntax errror - the query without the function would >end up >being: update [reports] set password = ' '123xxx456' ' (two sets of >single >quotes). Tony, I wouldn't do it this way unless you are doing some kind >of >one-time query - or building some form of on-line query analyzer. The >security risk is pretty high. I would at least restrict DML type >queries >using SQL permissions. > >-mk > >-----Original Message----- >From: Samuel Neff [mailto:[EMAIL PROTECTED]] >Sent: Monday, December 02, 2002 9:48 PM >To: CF-Talk >Subject: RE: shooting my server soon.... > > >So the entire SQL is inside the form field, including the single quotes? >Then you need PreserveSingleQuotes()--and think about the security >issue.. > > > >>-----Original Message----- >>From: Tony Weeg [mailto:[EMAIL PROTECTED]] >>Sent: Monday, December 02, 2002 10:44 PM >>To: CF-Talk >>Subject: RE: shooting my server soon.... >> >> >>ok great, it works when i have this in a page... >> >> <cfquery name="ex" datasource="cx"> >> update [reports] set password = '123xxx456' >> </cfquery> >> >>but not when i send this string from a form field >>textarea called sql >> >> update [reports] set password = '123xxx456' >> >> >> <cfquery name="ex" datasource="cx"> >> #form.sql# >> </cfquery> >> >>any idea? >> >>tony >> >>-----Original Message----- >>From: David Notik [mailto:[EMAIL PROTECTED]] >>Sent: Monday, December 02, 2002 10:26 PM >>To: CF-Talk >>Subject: RE: shooting my server soon.... >> >> >>Try adding a valid WHERE clause and see if the statement works. >> >>UPDATE Reports SET Password = 'XXXXXX' WHERE ID=1 >> >>That will at least get you closer to diagnosing the cause. >> >>Also, be sure your CFQUERY tags have proper < and >. >> >>--Dave >> >>################### >>David Notik >>Digital202, LLC >>Imagination gone digital. >>Web: www.digital202.com >>E-mail: [EMAIL PROTECTED] >>Office: (206) 575-1717 >>Mobile: (206) 351-3948 >>################### >> >> >>-----Original Message----- >>From: Tony Weeg [mailto:[EMAIL PROTECTED]] >>Sent: Monday, December 02, 2002 7:21 PM >>To: CF-Talk >>Subject: RE: shooting my server soon.... >> >>ok..... >> >>update [reports] set password = 'xxxx' >> >>Message: Error Executing Database Query. >>Detail: [Macromedia][SQLServer JDBC Driver][SQLServer]Line 1: >>Incorrect syntax near 'xxxx'. >>Native Error Code: 170 >>SQL State: HY000 >> >>same error? >> >>tony >> >>-----Original Message----- >>From: Matthew Walker [mailto:[EMAIL PROTECTED]] >>Sent: Monday, December 02, 2002 10:15 PM >>To: CF-Talk >>Subject: RE: shooting my server soon.... >> >> >>Don't know. One of the secrets of T-SQL I guess. ;-) >> >> >> >>>-----Original Message----- >>>From: Tony Weeg [mailto:[EMAIL PROTECTED]] >>>Sent: Tuesday, 3 December 2002 4:06 p.m. >>>To: CF-Talk >>>Subject: RE: shooting my server soon.... >>> >>> >>>but why can i do it fine in select statements? >>> >>>tony >>> >>>-----Original Message----- >>>From: Matthew Walker [mailto:[EMAIL PROTECTED]] >>>Sent: Monday, December 02, 2002 9:59 PM >>>To: CF-Talk >>>Subject: RE: shooting my server soon.... >>> >>> >>>Reports is a reserved word. Wrap it in [] >>>http://aspfaq.com/show.asp?id=2080 >>> >>> >>> >>> >>> >>>>-----Original Message----- >>>>From: Tony Weeg [mailto:[EMAIL PROTECTED]] >>>>Sent: Tuesday, 3 December 2002 3:45 p.m. >>>>To: CF-Talk >>>>Subject: shooting my server soon.... >>>> >>>> >>>>why? >>>> >>>>update reports set password = 'xxxx' >>>> >>>>will not work in my cf code on my cfmx server. >>>> >>>>i can run the same query in query analyzer, and all is well. >>>> >>>>any explanation would save my ***king server... >>>> >>>>thanks >>>> >>>>...tony >>>> >>>>tony weeg >>>>[EMAIL PROTECTED] >>>>www.revolutionwebdesign.com >>>>rEvOlUtIoN wEb DeSiGn >>>>410.334.6331 >>>> >>>> >>>> >>>> >>> >>> >> >> >> >> > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm
