Re: validating query string error
May I ask a probably dumb question?
Isn't val() simply enough to stop a sql injection attack through that
function?
--RR
On Mon, Jun 11, 2012 at 6:08 PM, Mike Little m...@nzsolutions.co.nz wrote:
on my pricing page, i have the following if statement to ensure invalid
url vars are not being input...
if (isnumeric(val(URL.lid))) {
however the query string below seems to get through? what should i be
doing instead?
--- error message ---
Diagnostics: The LOCATION_ID argument passed to the get_term_loaded
function is not of type numeric. If the component name is specified as a
type of this argument, its possible that a definition file for the
component cannot be found or is not accessible.
The error occurred on line 153.
Referrer:
Template: /pricing.cfm
Query string: lid=14%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351546
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: validating query string error
if ( isNumeric( val( url.lid ) ) ) That will *always* return true, no matter what you pass as URL.lid. Why? Because you are explicitly converting it using val(). Try this and you'll see what I mean. cfoutput #val( 1039 )# br / #val( 'xyz' )# br / #val( '14%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--' )# br / /cfoutput ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351547 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: validating query string error
From the Coldfusion docs:
If TestValue = 234A56?7', Val(TestValue) returns 234.
If TestValue = 234'5678'9?', Val(TestValue) returns 234.
If TestValue = BG234, Val(TestValue) returns the value 0, (not an
error).
If TestValue = 0, Val(TestValue) returns the value 0, (not an error).
So lid=14%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version
Val('14%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version') would be equal to
14, which is numeric.
-Original Message-
From: Mike Little [mailto:m...@nzsolutions.co.nz]
Sent: Monday, June 11, 2012 3:09 PM
To: cf-talk
Subject: validating query string error
on my pricing page, i have the following if statement to ensure invalid url
vars are not being input...
if (isnumeric(val(URL.lid))) {
however the query string below seems to get through? what should i be doing
instead?
--- error message ---
Diagnostics: The LOCATION_ID argument passed to the get_term_loaded function
is not of type numeric. If the component name is specified as a type of this
argument, its possible that a definition file for the component cannot be
found or is not accessible.
The error occurred on line 153.
Referrer:
Template: /pricing.cfm
Query string: lid=14%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351548
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: validating query string error
aha... i see what i have done wrong!! thanks guys. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351549 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: validating query string error
the page in question... http://www.justcabins.co.nz/pricing.cfm ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351550 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
