Re: ajaxCFC Access Denied

Thu, 18 Jun 2009 15:08:57 -0700 

Hello Brad,

To your questions:
The server uses MySQL. I wish I can use SQL Server. Here is the PROC.
DELIMITER $$

DROP PROCEDURE IF EXISTS `afmcorporate`.`sp_updateBasePKG` $$
CREATE definer=`afmcorpora...@`%` PROCEDURE `sp_updateBasePKG`(
                     IN in_table     VARCHAR(128),
                     IN in_column    VARCHAR(128),
                     IN in_new_value VARCHAR(1000),
                     IN in_where     VARCHAR(4000))
                     OUT results     VARCHAR(3000))
BEGIN
DECLARE l_sql VARCHAR(4000);

SET l_sql=CONCAT_ws(' ',
         'UPDATE',in_table,
        'SET',in_column,'=',in_new_value,
          'WHERE',in_where);

select l_sql as results;
set results = l_sql;

  SET @sql=l_sql;
        PREPARE s1 FROM @sql;
        EXECUTE s1;
        DEALLOCATE PREPARE s1;
END $$

DELIMITER ;

This is not a webservice, and even if it is, I don’t need to have the output 
result. I was using it as a way to check my SQL.

There will no be a way for hackers to do any SQL injections because the way 
this work is that users type something on a text box and that will be used as 
the value to be inserted on the DB e.g.

‘Update ‘ + ‘from table that they can not type’ + 
‘SET ‘ + ‘this field that they can not type neither’ +
‘ = ‘ + ‘value entered by user’ +
‘WHERE ‘ + ‘from this field that they can not type neither’ + ‘=’ +
‘from this field that they can not type neither’

I am sending all the necessary values for the table, fields, except for the 
value that will be updated.

So, I don’t see any harm there, but if you see something let me know.

Finally I did fail to mention last time; the CFfunction is the one crashing.. 
It doesn’t get to SP yet.

I commented the OUT cfprocparam because it was complaining there, after I 
commented out that parameter, it started complaining about the one above.

Any thoughts?

Thanks


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323681
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to