D'oh! Anyone else see the classic SQLinjection vuln here... -- Dean H. Saxe "A true conservationist is a person who knows that the world is not given by his fathers, but borrowed from his children." -- John James Audubon
On Wed, Jan 27, 2010 at 11:47 AM, Dusty Hale <[email protected]> wrote: > Teddy here's how I build the qText string part where the quotes are: > > if(len(txtDonorId)){ > qText = qText & "AND donorid like '%" & txtDonorId & "%' "; > } > > > > On Wed, Jan 27, 2010 at 2:28 PM, Teddy R. Payne <[email protected]> > wrote: >> >> Dusty, >> What type of single quotes are those? What is the source of the text? Was >> the query copied and pasted from a Microsoft document? >> >> >> Teddy R. Payne, ACCFD >> Google Talk - [email protected] >> >> >> >> On Wed, Jan 27, 2010 at 2:24 PM, Dusty Hale <[email protected]> wrote: >>> >>> Hi: >>> >>> I've run into a very strange issue. I have a cfc which has a <cfquery> >>> tag in it. I recently added one field the SQL in the query and am getting an >>> error I've never seen before. I can't seem to dig out any info to solve >>> this. If anyone is familiar, please share. >>> >>> Of course when I output the SQL and run in a SQL Studio Query window, the >>> query runs fine with no errors. >>> >>> Here the error I see in CF: >>> >>> >>> >>> ----------------------------------------------------------------------------------------------------------------------------- >>> [Macromedia][SQLServer JDBC Driver][SQLServer]Divide by zero error >>> encountered. >>> >>> The error occurred in >>> D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line 149 >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line >>> 139 >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48 >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line >>> 149 >>> Called from D:\websites\xytexcom_stage2\htdocs\cfc\donorsearch.cfc: line >>> 139 >>> Called from D:\websites\xytexcom_stage2\htdocs\search.cfm: line 48 >>> >>> 147 : </cfscript> >>> 148 : <cfquery name="q" datasource="#application.dsn_name#" >>> username="#application.db_user#" password="#application.db_pword#"> >>> 149 : #qText# >>> >>> 150 : </cfquery> >>> ----------------------------------------- >>> >>> Here's the SQL code in the qText variable. Please note that it runs fun >>> in Query Analyzer. Also note that no division is being used. >>> >>> ---------------------------------------------------------------- >>> Select donorid, occupation, race, haircolor, hairtexture, eyecolor, >>> religion, bloodtype, height, weight, heightmetric, weightmetric, >>> reportedpregnancy, opendonorid, infomp3avail, ethnicity, cmvstatus, >>> DateEntered, ARTavail, ARTonly, SelectDonors FROM v_websearch where >>> available = 1 AND donorid like '%9986%' ORDER BY donorid >>> >>> ---------------------------------------------------------------------------------- >>> >>> Any advise or thought on this of course is greatly appreciated. >>> >>> Dusty >> > > > > -- > Dusty Hale > Email: [email protected] > Phone (Atlanta): 404.474.3754 > Phone (Toll Free USA): 877.841.3370 > Website: www.DustyHale.com > ------------------------------------------------------------- To unsubscribe from this list, manage your profile @ http://www.acfug.org?fa=login.edituserform For more info, see http://www.acfug.org/mailinglists Archive @ http://www.mail-archive.com/discussion%40acfug.org/ List hosted by http://www.fusionlink.com -------------------------------------------------------------
