Re: New Round of Exploits going on
Byron, That is partly true, if you make certain assumptions, but things are not quite that simple, considering the following. Let say you get your own server to host your own site. And that is it, you do not do any kind of lockdown, do not keep your patches and hotfixes up to date, do no monitoring what so ever. Then yes in such a scenario the shared server will be safer in general because your server as a whole is not secure, so a vulnerability on the server is more likely. So getting a server with no idea what your doing and no management or support, would be pretty dumb. If you do not have the skills to manage it yourself and make sure it is secure then you should be paying you host or someone else to do this for you. However if you are running a server with *ONLY* your own site on it, your chances of being attacked in the first place are much less than a shared server, Consider that a shared server is going to have *AT LEAST* 200 other sites on it, probably more, and attackers generally target a list of domains/websites rather than the server itself when looking for vulnerabilities, so that is a 20,000% increase in your chances of being hacked due to other websites on the server already Lets also consider that your own site is written in CF, and so CF is the only thing you would have installed on your own server. So you only have one application layer attack vector. But on a shared server your also going to have ASP, .NET, Perl, PHP, Ruby and probably more, so that has just increased the possible attack vectors by at least another 500% On Tue, Feb 12, 2013 at 6:37 AM, Byron Mann byronos...@gmail.com wrote: (apologies for the length) Russ, I can tell by your comments that you either have dealt with a lot of hosts or have worked or owned one. Well said. Having worked in the Hosting space for more than 10 years now, I can safely say there is absolutely no 100% way to prevent these exploits on any platform. That is not to say there are not more secure options than shared hosting, but even at that you may need the above average skill set. I can make an argument that shared CF hosting is probably more secure for half the people using Coldfusion out there. How and why? Well most probably have no one actively monitoring their servers. Not only do we have ourselves and tools looking at the servers, but our customers who make us instantly aware of an issue. Even a subpar host probably has a better lock down on CF than many non host managed CF users. How many can say they don't have root kits (or even know what that is) running on their server? Probably a lot on this list, but the average vps, cloud or dedicated user out there, ummm probably not. Example, there was a recent issue we had with hidden elements being injected to files on a shared server. This was actually a customer running Wordpress. How many out there would have found that and how quickly, say on a dedicated server with a site that only gets updated once a month. The best you can do is be vigilant, do your patching and homework and when the next compromise comes, take it on the cheek, mitigate, and take what you learned and try to improve for the next go around. And if you are a hosting customer, it's up to you to be aware and educated on what a host should and shouldn't be doing (aka this list). And then decide if it's time to move on or acceptable to you. Of course I'm speaking in general terms, as this is the case with not only CF, but all platforms. How many times a week do we hear about a drupal or Wordpress issue, just about as often as CF, but if not more. Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by compromises than our shared customers. But let's not all forget the real problem here. It's not cf users, the host or Adobe's fault. It's the dirt bags out there who make escalations happen that result in the 3 am phone calls. Byron Mann Lead Engineer Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354474 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Looks interesting. IP-based blocking may be a good way to go for my donation form. -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Tuesday, February 12, 2013 12:07 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... At 04:43 PM 2/11/2013, Les Mizzell wrote: One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354475 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Another good thought! Thanks! -Original Message- From: Byron Mann [mailto:byronos...@gmail.com] Sent: Tuesday, February 12, 2013 1:57 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net A fairly inexpensive and easy to implement fraud screening service is maxmind minfraud. It's something like 0.005 per transaction methinks. Another method I didn't see in the thread was doing an email confirmation before performing the cc transaction. Like send an email to the user with a unique ID the user must click to verify a legit email address was used. Can still be bot'd but requires a bit more work on their part, which might be enough discourage since there are a lot of other places for them to go do their dirtiness. Byron Mann Lead Engineer Architect HostMySite.com On Feb 11, 2013 11:13 AM, Rick Faircloth r...@whitestonemedia.com wrote: Hi, guys... I'm been running my first eCommerce setup with a donation page/form using Authorize.net. Things have been running fine, excepts for spammers using the donation form to find legitmate CC numbers so they could abuse the card in other ways. I've assumed, up to this point, that the spammers are bots, not humans. The spam attempts happened every 15-30 seconds for about an hour, then they stop. Very few are able to successfully process a transaction, but I'm trying to stop the form from being submitted. I've tried honey-pot traps, then moved to CF's captcha (at its default level of difficulty). So far, the spam attempts keep coming and my client is wondering if they need to get someone (besides me) to handle the donations since I can't seem to stop the spam. I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... Thoughts on this? I've got to get a solution working. Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354476 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
well I guess I never saw it because I always keep the cfadmin in the default website and lock it down, and always create a copy of the CFIDE without the admin or adminapi for all other sites. So there is always a REAL CFIDE. I have just gone and checked some cf sites on several servers for sanity, and could not access /cfide/administrator/index.cfm on any of them. On Tue, Feb 5, 2013 at 6:36 PM, Dave Watts dwa...@figleaf.com wrote: I have to say I have never once had that in my 12 years of installing cf servers, if the cfide dir or vdir doesn't exist , then cfide or the administrator doesn't work, period. I have seen this many times. Again, as mentioned previously, it's not at all obvious - you request the URL /CFIDE/Administrator/ and you get a 404 from the web server, but /CFIDE/Administrator/index.cfm gives you a 200 for the CF Administrator. You can easily tell when this happens because the images (which are static files not served by CF) are not displayed. So there must be some.very special.circumstances for that to happen, it certainly doesn't happen on a standard windows install. The circumstances are not all that special, and happen under the exact situations I described. If you install CF with the CF Administrator and do not move or delete it, then you set up a web server without the CF Administrator, CF will be able to run /CFIDE/Administrator/index.cfm. Again, we typically demonstrate this in class, so it's fairly replicable. The key is simply to be aware of servlet mappings and how they work. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354477 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Good morning everyone, That verification solution will also work with screen readers making it possible for disabled Web surfers to use that form. Good going although CFFormProtect would eliminate the captcha all together. Peter Donahue - Original Message - From: Al Musella, DPM muse...@virtualtrials.com To: cf-talk cf-talk@houseoffusion.com Sent: Monday, February 11, 2013 11:06 PM Subject: Re: Problem with Hackers on Donation form through Authorize.net I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... At 04:43 PM 2/11/2013, Les Mizzell wrote: One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354478 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Hack - Further Information
well I guess I never saw it because I always keep the cfadmin in the default website and lock it down, and always create a copy of the CFIDE without the admin or adminapi for all other sites. So there is always a REAL CFIDE. That, by itself, is not sufficient. You can have a real CFIDE without the CF Administrator and CF will still run scripts that aren't in it. Again, this boils down to a few simple things: if CF receives the request, and has a corresponding servlet mapping, CF can in many cases run the request whether or not the file actually exists where the web server thinks it should exist. I have just gone and checked some cf sites on several servers for sanity, and could not access /cfide/administrator/index.cfm on any of them. That is good! But perhaps you are doing other things as a matter of course that are preventing this behavior. And I wouldn't be surprised if you are doing these other things, because they're commonly done by people who are concerned about security. Again, though, the out-of-the-box behavior does not guarantee that these scripts can't be executed. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354479 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Your right we do routinely get real donations from a few places like Puerto Rico and Mexico (which both happen to be part of north america)... as well as most of Europe and Japan. We actually got real donations from China and even Nigeria so we can't block any coutry outright. So I am not going to bother blocking countries. We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. On 2/12/2013 12:06 PM, Al Musella, DPM wrote: I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... i would check w/your client first. not everybody outside NA is bent on conducting fraud. and will you exclude users from Mexico, Puerto Rico, etc.? and keep in mind that IP-to-country conversion isn't fool-proof as it is, never-mind when folks actively try to defeat it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354480 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. I like this approach on two fronts. First it protects you and your merchant account, and second it gives the attacker a false negative on card numbers that may have been otherwise valid which could help save the cardholder from a lot of bogus charges down the line. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354481 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
All of my attempts over the last couple of months have been under 2 minutes apart. It takes a lot longer than that to fill out the donation form. I think I'm going to try a timing function to determine the time of the first click of the form and the click of the submit button, and if the times is less than 12ms (2 minutes), I'm going to reject the submission. Nothing else is working, I might as well try that. If it's a bot doing the spamming, it probably won't wait. If it's a person, doing the spamming, they won't know why they're getting the failure notice. Any problems with this approach? -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Tuesday, February 12, 2013 2:36 PM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. I like this approach on two fronts. First it protects you and your merchant account, and second it gives the attacker a false negative on card numbers that may have been otherwise valid which could help save the cardholder from a lot of bogus charges down the line. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354482 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Sometimes I hate this work... even though I've got it made as a freelancer. I still hate this work at times. Maybe I'll just go work at Lowes... -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Tuesday, February 12, 2013 2:36 PM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net We had another run of someone trying yesterday.. I detected it on the 3rd attmept (all of which failed).. then he (or she) tried about 30 more times where I just sent the fake failure notice without letting it hit the credit card processor. I like this approach on two fronts. First it protects you and your merchant account, and second it gives the attacker a false negative on card numbers that may have been otherwise valid which could help save the cardholder from a lot of bogus charges down the line. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354483 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
If so, this won't work because I don't use an actual button with a type of submit. The submit button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission in the CFC to Authorize.net. From this you can conclude at 99% that the spammers are human. Bot very unlikely execute Ajax functions, not even any Javascript. Then Captcha won't help. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354484 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Anyway to automatically convert to URLSESSIONFORMAT
This isn't even the biggest threat. Since you are passing the SessionID in the URL, it will be included in the referrer string and LOGGED by someone else's server each time you allow a link out from your website. Absolutely! Security is hard enough for web applications but without cookies it is nearly impossible. The company that decided to disallow cookies on internal browsers for I am guessing security reasons does not fully understand the implications. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354485 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission Forget the form page the bots/humans are not even seeing it they are attacking your processing cfc directly. Your protection has to be server side since any JavaScript on the form page is ignored. They are submitting form data directly to your CFC processing page. Dennis Powers UXB Internet - A website Design and Hosting Company P.O. Box 6028, Wolcott, CT 06716 - T:203-879-2844 W: http://www.uxbinternet.com W: http://www.ctbusinesslist.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354486 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
Forget the form page the bots/humans are not even seeing it they are attacking your processing cfc directly. Your protection has to be server side since any JavaScript on the form page is ignored. They are submitting form data directly to your CFC processing page. Part of the verification in the processing can be reliant upon something executing in JavaScript and being passed in with the form submission. This is how CFFormProtect works (looks for and tracks timing, keystrokes, mouse movement, etc.). This data is tracked and passed in to the form and the server runs checks against it to determine whether the script ran and events occurred that you would expect to see in a real environment vs. an automated script (it does have some server-side checks as well such as Akismet lookups, etc.). It is true that an attacker could capture one real submission between the browser and the server and modify their scripts to submit the appropriate data to make it appear as though a script ran and those form fields were populated naturally when they actually weren't, though an attacker would need to be pretty persistent to go through all that trouble. The idea with these kinds of protections is to make it sufficiently inconvenient for an attacker to go to the trouble and move on to the next guy who is easier to exploit. One of the sites I ran years ago had a problem with people scripting the signup process to generate accounts (even to the point of generating e-mail accounts to use for the e-mail validation process). We really didn't want to use a CAPTCHA, so we ended up randomizing the form field names (and creating a map of the random names to the real names as a session variable when the form was generated so we could match them back up when it was submitted). This prevented the process script from being hit directly and would have forced them to load the actual signup page first, parse all the fieldnames out, and then run the submission again. They could have automated this as well, but never did (perhaps because it was too inconvenient and there were easier targets to go after). The earlier idea of automatically rejecting transactions and transparently showing a reject notice after a couple of failures is a good anti-abuse measure in this instance. If logs are being kept, they can be reviewed periodically and anyone who looks like they may have been accidentally rejected can be contacted again later to recapture their donation if needed. Abuse can be a hard problem to solve. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354487 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
A little help with jquery/cfm
Hey all, I have an app that is running great. User enters a code into a form field, and it checks the db to see if it's valid. If not they can't move on. Problem is that now the customer wants to be able to enter either the 2-5 character code OR the long name. For instance, you could enter AS or Adaptive Sports. I am not sure how to add this functionality into this code below as I did not write the query, I found it on-line and modified it for my site. JQuery: script src=js/jquery.js type=text/javascript/script script type=text/javascript pic1 = new Image(16, 16); pic1.src = images/loader.gif; $(document).ready(function(){ $(#orgname).change(function() { var usr = $(#orgname).val(); if(usr.length = 2) { $(#status).html('img align=absmiddle src=images/loader.gif / Checking Code...'); $.ajax({ type: POST, url: checkcode.cfm, data: orgname=+ usr, success: function(msg){ $(#status).ajaxComplete(function(event, request, settings){ if(msg == 'OK') { $(#orgname).removeClass('object_error'); // if necessary $(#orgname).addClass(object_ok); $(this).html(' img align=absmiddle src=images/accepted.png / '); } else { $(#orgname).removeClass('object_ok'); // if necessary $(#orgname).addClass(object_error); $(this).html(msg); }});}});} else { $(#status).html('The Code should have at least 2 characters.'); $(#orgname).removeClass('object_ok'); // if necessary $(#orgname).addClass(object_error); }});}); //-- /script Here is the check code.cfm page: cfsetting showdebugoutput=false !--- Set the orgname to blank first --- cfparam name=orgname default= !--- Query the organizations table for all of the org names --- cfquery name=checkName datasource=#request.dataSource# SELECT orgname, orglongname FROM organizations /cfquery !--- put the names into a list --- cfset orgnamelist = valueList(checkname.orgname, ,) !--- Check the list against the name entered. If there is a match, then code is valid, otherwise conde is invalid --- cfif listFindNoCase(orgnamelist, orgname) cfset available = 'span style=color: Green;Code is valid./span' cfelse cfset available = 'span style=color: red;The Code b #orgname#/b is an invalid code. br /Please re-enter your code./span' /cfif cfoutput#available#/cfoutput Hopefully someone can help. The client put out a huge email blast today and then as an afterthought wanted the added functionality since someone already tried to enter the long name rather than the code as instructed. Thanks, Bruce ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354488 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: A little help with jquery/cfm
You should move your check into the WHERE clause of the query (WHERE orgname = '#orgname#' or orglongname ='#orgname#') and change the listfindnocase condition to checkname.recordcount GT 0. There is no need to return the entire record set and then convert it to a list. Get rid is the orgnamelist variable all together. That is a waste of resources. To be on the safe side you should also use cfqueryparam to wrap the variables in your SQL statement to prevent SQL injection attacks. Brian Cain On Feb 12, 2013, at 7:25 PM, Bruce Sorge sor...@gmail.com wrote: Hey all, I have an app that is running great. User enters a code into a form field, and it checks the db to see if it's valid. If not they can't move on. Problem is that now the customer wants to be able to enter either the 2-5 character code OR the long name. For instance, you could enter AS or Adaptive Sports. I am not sure how to add this functionality into this code below as I did not write the query, I found it on-line and modified it for my site. JQuery: script src=js/jquery.js type=text/javascript/script script type=text/javascript pic1 = new Image(16, 16); pic1.src = images/loader.gif; $(document).ready(function(){ $(#orgname).change(function() { var usr = $(#orgname).val(); if(usr.length = 2) { $(#status).html('img align=absmiddle src=images/loader.gif / Checking Code...'); $.ajax({ type: POST, url: checkcode.cfm, data: orgname=+ usr, success: function(msg){ $(#status).ajaxComplete(function(event, request, settings){ if(msg == 'OK') { $(#orgname).removeClass('object_error'); // if necessary $(#orgname).addClass(object_ok); $(this).html(' img align=absmiddle src=images/accepted.png / '); } else { $(#orgname).removeClass('object_ok'); // if necessary $(#orgname).addClass(object_error); $(this).html(msg); }});}});} else { $(#status).html('The Code should have at least 2 characters.'); $(#orgname).removeClass('object_ok'); // if necessary $(#orgname).addClass(object_error); }});}); //-- /script Here is the check code.cfm page: cfsetting showdebugoutput=false !--- Set the orgname to blank first --- cfparam name=orgname default= !--- Query the organizations table for all of the org names --- cfquery name=checkName datasource=#request.dataSource# SELECT orgname, orglongname FROM organizations /cfquery !--- put the names into a list --- cfset orgnamelist = valueList(checkname.orgname, ,) !--- Check the list against the name entered. If there is a match, then code is valid, otherwise conde is invalid --- cfif listFindNoCase(orgnamelist, orgname) cfset available = 'span style=color: Green;Code is valid./span' cfelse cfset available = 'span style=color: red;The Code b #orgname#/b is an invalid code. br /Please re-enter your code./span' /cfif cfoutput#available#/cfoutput Hopefully someone can help. The client put out a huge email blast today and then as an afterthought wanted the added functionality since someone already tried to enter the long name rather than the code as instructed. Thanks, Bruce ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354489 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: A little help with jquery/cfm
The think is that the check is not done when they post, it's done when they enter the code, then shift the focus form the form field. Bruce On Feb 12, 2013, at 8:42 PM, Brian Cain bcc9...@gmail.com wrote: You should move your check into the WHERE clause of the query (WHERE orgname = '#orgname#' or orglongname ='#orgname#') and change the listfindnocase condition to checkname.recordcount GT 0. There is no need to return the entire record set and then convert it to a list. Get rid is the orgnamelist variable all together. That is a waste of resources. To be on the safe side you should also use cfqueryparam to wrap the variables in your SQL statement to prevent SQL injection attacks. Brian Cain ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354490 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: A little help with jquery/cfm
Yes. You are checking on checkcode.cfm. That is the page that needs to be modified. Brian Cain On Feb 12, 2013, at 7:47 PM, Bruce Sorge sor...@gmail.com wrote: The think is that the check is not done when they post, it's done when they enter the code, then shift the focus form the form field. Bruce On Feb 12, 2013, at 8:42 PM, Brian Cain bcc9...@gmail.com wrote: You should move your check into the WHERE clause of the query (WHERE orgname = '#orgname#' or orglongname ='#orgname#') and change the listfindnocase condition to checkname.recordcount GT 0. There is no need to return the entire record set and then convert it to a list. Get rid is the orgnamelist variable all together. That is a waste of resources. To be on the safe side you should also use cfqueryparam to wrap the variables in your SQL statement to prevent SQL injection attacks. Brian Cain ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354491 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: A little help with jquery/cfm
Yeah, I had a brain fart. This fixed it: cfsetting showdebugoutput=false !--- Set the orgname to blank first --- cfparam name=form.orgname default= !--- Query the organizations table for all of the org names --- cfquery name=checkName datasource=#request.dataSource# SELECT orgname, orglongname FROM organizations WHERE orgname = cfqueryparam value=#form.orgname# cfsqltype=cf_sql_varchar OR orglongname = cfqueryparam value=#form.orgname# cfsqltype=cf_sql_varchar /cfquery !--- Check the list against the name entered. If there is a match, then code is valid, otherwise code is invalid --- cfif LEN(checkName.orgname) OR LEN(checkName.orglongname) cfset available = 'span style=color: Green;Code is valid./span' cfelse cfset available = 'span style=color: red;The Code b #orgname#/b is an invalid code. Please re-enter your code./span' /cfif cfoutput#available#/cfoutput ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354492 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm