I do a server side check before building the query with the cfqueryparams. It is my last resort check based upon the column settings within the database. That check will give the user a user friendly message about what is wrong so they can go back and fix it. I guess you could say my cfqueryparams are actually the last resort but yet to get someone who managed to get past that server check done just before building the query.
On Wed, Apr 15, 2009 at 12:36 AM, Angeli Wahlstedt <[email protected]>wrote: > Hey, Seth – > > > > Well, what do you know – I did some experimenting using Google Toolbar’s > Autofill, and your guess was spot-on! I was able to duplicate the exact > error that the user had. You definitely win a cigar here. J > > > > I guess the moral of this story is: don’t rely on the MAXLENGTH attribute > to restrict the lengths of your data anymore. Using drop-down lists would > help in some cases but not all. Sigh! > > > > n Angeli > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Seth Bienek > *Sent:* Tuesday, April 14, 2009 7:10 PM > > *To:* [email protected] > *Cc:* <[email protected]> > *Subject:* [houcfug] Re: HTML puzzle > > > > Just had a thought: if a person were using a browser plugin that remembers > their info and plugs it into forms for them (google toolbar does this for > example), that app would likely use the DOM to set the value of the form > field, which might side-step the browser's function of limiting input based > on key strokes..? > > > > Just a theory, but I'll bet if you contact the user they would tell you > they use a form helper. :) > > > > Take Care, > > > > Seth > > On Apr 14, 2009, at 6:34 PM, "Angeli Wahlstedt" <[email protected]> > wrote: > > Sure, here it is (the code trimmed for brevity)…as you can see, it’s > pretty barebones. No Javascript except for the GrayItOut () which just grays > out the submit button – validation is done server-side. > > > > Angeli > > > > > > <form action="index.cfm" method="post" name="myForm" onSubmit="return > GrayItOut (myForm);"> > > <tr> > > <td align="right">State:*</td> > > <td align="left"> > > <input type="text" > name="state" value="" size="2" maxlength="2"> > > </td> > > </tr> > > <tr> > > <td colspan="2" align="center"> > > <input type="submit" > name="Submit" value="Bid On Me!"> > > </td> > > </tr> > > </form> > > > > > > *From:* [email protected] > [mailto:[email protected]<[email protected]>] > *On Behalf Of *Manish Gupta > *Sent:* Tuesday, April 14, 2009 6:25 PM > *To:* [email protected] > *Subject:* [houcfug] Re: HTML puzzle > > > > just curious - can you paste your HTML input tag here..... > > > > On Tue, Apr 14, 2009 at 5:21 PM, Angeli Wahlstedt <[email protected]> > wrote: > > Actually, the email showed all the scopes, including FORM. The original > page was a data entry screen for a private auction, and it takes in your > name, address, contact info and things like that, and the form data that > showed up in the email looks completely legitimate – a residential address > of some guy in Colorado. No obvious made-up data that I can see. If it’s a > spam-bot or the like, someone is certainly going to a lot of trouble to make > it look legitimate. J > > > > That data entry screen hadn’t been changed for several years, so it rules > out the cached page theory. Maybe some weird browser bug, who knows? Anyway, > I’ll just chalk it up as a fluke and not worry about it unless it comes up > again. The action page already has CFQUERYPARAM’s and other safety guards in > place, anyway. > > > > n Angeli > > > > *From:* [email protected] [mailto:[email protected]] *On > Behalf Of *Seth Bienek > *Sent:* Tuesday, April 14, 2009 4:58 PM > *To:* [email protected] > *Cc:* [email protected] > > > *Subject:* [houcfug] Re: HTML puzzle > > > > Smells like a spam bot to me. They forge user agent strings, and will > guess at field values to get their form submitted. > > > > If you don't include the form scope in your error emails, you should > consider doing so, as it will give you more insight, no matter what the > issue turns out to be. > > > > Take Care, > > > > Seth > > > > On Apr 14, 2009, at 4:43 PM, "Ecung II,Ramon J" <[email protected]> > wrote: > > Whoops I read that too fast and thought you were using CFINPUT. Sorry. > > > > Yeah you’re right that looks like IE7 on Vista unless it’s a forged > user-agent. > > > > I would say the user either had a cached version of the page that didn’t > have the size/maxlength attributes or a bug in the browser or something else > off the wall. It could be a hack attempt, but there’s more interesting > things to try than “Colorado”. > > > > > > Ramon Ecung, BS, ACHDS, MCP > > 713-794-4273 | [email protected] | Unit 421 > > > > *From:* [email protected] > [mailto:[email protected]<[email protected]>] > *On Behalf Of *Angeli Wahlstedt > *Sent:* Tuesday, April 14, 2009 4:38 PM > *To:* [email protected] > *Subject:* [houcfug] Re: HTML puzzle > > > > Actually, there’s no Javascript tied to that INPUT tag…besides, isn’t the > SIZE/MAXLENGTH restriction handled by the browser itself, no matter if > Javascript is turned on or off? > > > > Angeli > > > > *From:* [email protected] > [mailto:[email protected]<[email protected]>] > *On Behalf Of *Ecung II,Ramon J > *Sent:* Tuesday, April 14, 2009 4:34 PM > *To:* [email protected] > *Subject:* [houcfug] Re: HTML puzzle > > > > Maybe a user has their javascript turned off? Or they’re running through > some sort of proxy like privoxy that changes the html/javascript code to > block ads and such? > > > > Ramon Ecung, BS, ACHDS, MCP > > 713-794-4273 | [email protected] | Unit 421 > > > > *From:* [email protected] > [mailto:[email protected]<[email protected]>] > *On Behalf Of *Angeli Wahlstedt > *Sent:* Tuesday, April 14, 2009 4:32 PM > *To:* [email protected] > *Subject:* [houcfug] HTML puzzle > > > > Okay, this is more of a HTML issue than a Cold Fusion issue (though it’s > being generated by a Cold Fusion page) but I got a head-scratcher I’d like > to run by you folks. > > > > I just got an automatically generated email from one of the sites I work > on, containing a Cold Fusion error. The error was caused by a CFQUERYPARAM > tag trying to save a too-long string to a database. I went to the original > page, thinking that an INPUT tag is missing a MAXLENGTH attribute somewhere. > But it turns out that the INPUT tag indeed has its both SIZE and MAXLENGTH > in place. It works as it should when I tested it in IE 7.0 and Foxfire. > > > > So, the question is, how did this too-long string (which was the value > “Colorado”) get past a 2-character text box? One possibility would be a > custom-written form outside the web server, but the HTTP_REFERRER variable > pointed at the original page on the web server. If it helps anything, the > user agent was “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB5; > SLCC1;.NET CLR 2.0.50727; .NET CLR 3.0.04506; MS-RTC LM 8” which looks like > IE 7.0, if I’m reading it correctly. > > > > > > Puzzledly yours, > > Angeli Wahlstedt, IdeaSculpt LLC > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > br> > br> > > > > > > > --~--~---------~--~----~------------~-------~--~----~ > You received this message because you are subscribed to the "Houston > ColdFusion Users' Group" discussion list. > To unsubscribe, send email to [email protected] > For more options, visit http://groups.google.com/group/houcfug?hl=en > -~----------~----~----~----~------~----~------~--~--- > > -- Aaron Rouse http://www.happyhacker.com/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [email protected] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
