Re: CFSTOREDPROC and invalid SQL
Thanks to everyone for their replies. If someone is searching for this in the future the solution seems to be as follows: If you have a stored proc that DOES NOT require params in or out of the stored proc, the string to call looks like this Mixed Case: cfset storedProcVar = SCHEMANAME. PackageName . StoredProcName() / Non Mixed Case: cfset storedProcVar = SCHEMANAME.PACKAGE_NAME.STORED_PROC_NAME() / If you have a stored proc that DOES require params in or out of the stored proc, the string to call looks like this cfset storedProcVar = SCHEMANAME. PackageName . StoredProcName / Non Mixed Case: cfset storedProcVar = SCHEMANAME.PACKAGE_NAME.STORED_PROC_NAME / And then used in: cfstoredproc procedure=#storedProcVar# datasource=#request.LOCAL_DATASOURCE# Not sure if needing/not needing the () is just common sense or not, but I got stuck on it for a bit. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338831 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFSTOREDPROC and invalid SQL
Been awhile since I had to use Oracle, but is sysdate a function? Can you try: datetext := to_char(sysdate(), '-mm-dd'); Hi all, So I'm very stuck and tired of saying mean things to my computer... so I hope you are able to see something I'm missing. In short, in order to trouble shoot a larger stored proc call, I've created a very simple one to get working first. It just returns a value. Platforms: Oracle11g / CFMX7 (oracle drivers) / IIS6 The Stored Proc: CREATE OR REPLACE PROCEDURE FUNDING.OMGItsMixedCase (datetext out varchar2 ) is --AUTHID CURRENT_USER IS BEGIN -- executable part starts here datetext := to_char(sysdate, '-mm-dd'); END; / --- The CF Code to call it: !--- I know setting the storedProc var works since I can call a different storedProc on another schema with this method, though it requires nothing passed in. ie: this code approach works elsewhere --- cfset storedProc = FUNDING. OMGItsMixedCase() cfstoredproc procedure=#storedProc# dataSource=databasemonster debug=yes returncode=yes cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / /cfstoredproc The error: (nemisis) [Macromedia][Oracle JDBC Driver][Oracle]ORA-00900: invalid SQL statement The error occurred in D:\somepath\act_updateProgramFund.cfm: line 50 48 : 49 : cfstoredproc procedure=#storedProc# dataSource=databasemonster debug=yes returncode=yes 50 : cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / 51 : /cfstoredproc 52 : SQL { (param 1) = call P3DEVELOPER.date_text()( (param 2) )} DATASOURCE oracle1srvr VENDORERRORCODE 900 SQLSTATE 42000 What's with the param 1 in front of the call? then another param 2?? Thanks for your time and effort, Brent ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338789 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFSTOREDPROC and invalid SQL
This may not be what you're after, but try replacing datetext := to_char(sysdate, '-mm-dd'); with SELECT TO_CHAR(sysdate, '-mm-dd') INTO datetext FROM dual; Thanks, Eric Cobb ECAR Technologies, LLC http://www.ecartech.com http://www.cfgears.com Brent Nicholas wrote: Hi all, So I'm very stuck and tired of saying mean things to my computer... so I hope you are able to see something I'm missing. In short, in order to trouble shoot a larger stored proc call, I've created a very simple one to get working first. It just returns a value. Platforms: Oracle11g / CFMX7 (oracle drivers) / IIS6 The Stored Proc: CREATE OR REPLACE PROCEDURE FUNDING.OMGItsMixedCase (datetext out varchar2 ) is --AUTHID CURRENT_USER IS BEGIN -- executable part starts here datetext := to_char(sysdate, '-mm-dd'); END; / --- The CF Code to call it: !--- I know setting the storedProc var works since I can call a different storedProc on another schema with this method, though it requires nothing passed in. ie: this code approach works elsewhere --- cfset storedProc = FUNDING. OMGItsMixedCase() cfstoredproc procedure=#storedProc# dataSource=databasemonster debug=yes returncode=yes cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / /cfstoredproc The error: (nemisis) [Macromedia][Oracle JDBC Driver][Oracle]ORA-00900: invalid SQL statement The error occurred in D:\somepath\act_updateProgramFund.cfm: line 50 48 : 49 : cfstoredproc procedure=#storedProc# dataSource=databasemonster debug=yes returncode=yes 50 : cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / 51 : /cfstoredproc 52 : SQL { (param 1) = call P3DEVELOPER.date_text()( (param 2) )} DATASOURCE oracle1srvr VENDORERRORCODE 900 SQLSTATE 42000 What's with the param 1 in front of the call? then another param 2?? Thanks for your time and effort, Brent ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338793 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFSTOREDPROC and invalid SQL
Hi all, So I'm very stuck and tired of saying mean things to my computer... so I hope you are able to see something I'm missing. In short, in order to trouble shoot a larger stored proc call, I've created a very simple one to get working first. It just returns a value. Platforms: Oracle11g / CFMX7 (oracle drivers) / IIS6 The Stored Proc: CREATE OR REPLACE PROCEDURE FUNDING.OMGItsMixedCase (datetext out varchar2 ) is --AUTHID CURRENT_USER IS BEGIN -- executable part starts here datetext := to_char(sysdate, '-mm-dd'); END; / --- The CF Code to call it: !--- I know setting the storedProc var works since I can call a different storedProc on another schema with this method, though it requires nothing passed in. ie: this code approach works elsewhere --- cfset storedProc = FUNDING. OMGItsMixedCase() cfstoredproc procedure=#storedProc# dataSource=databasemonster debug=yes returncode=yes cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / /cfstoredproc The error: (nemisis) [Macromedia][Oracle JDBC Driver][Oracle]ORA-00900: invalid SQL statement The error occurred in D:\somepath\act_updateProgramFund.cfm: line 50 48 : 49 : cfstoredproc procedure=#storedProc# dataSource=databasemonster debug=yes returncode=yes 50 :cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / 51 : /cfstoredproc 52 : SQL { (param 1) = call P3DEVELOPER.date_text()( (param 2) )} DATASOURCE oracle1srvr VENDORERRORCODE 900 SQLSTATE 42000 What's with the param 1 in front of the call? then another param 2?? Thanks for your time and effort, Brent ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338769 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFSTOREDPROC and invalid SQL
returncode=yes What's with the param 1 in front of the call? then another param 2?? A complete guess from a non-Oracle person, but ... could it be for the return code? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338770 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFSTOREDPROC and invalid SQL
returncode=yes What's with the param 1 in front of the call? then another param 2?? A complete guess from a non-Oracle person, but ... could it be for the return code? Ok, I've removed returncode and debug and now have the following. cfstoredproc procedure=#storedProc# dataSource=bigdatabasemonster cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / /cfstoredproc Returns: SQL {call P3DEVELOPER.date_text()( (param 1) )} All the rest is the same error. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338771 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFSTOREDPROC and invalid SQL
I had incorrect information in my error in the previous two posts. It should read: The error: (nemisis) [Macromedia][Oracle JDBC Driver][Oracle]ORA-00900: invalid SQL statement The error occurred in D:\somepath\act_updateProgramFund.cfm: line 50 48 : 49 : cfstoredproc procedure=#storedProc# dataSource=databasemonster debug=yes returncode=yes 50 : cfprocparam type=out cfsqltype=CF_SQL_VARCHAR dbvarname=datetext / 51 : /cfstoredproc 52 : SQL {call FUNDING.date_text()( (param 1) )} DATASOURCE oracle1srvr VENDORERRORCODE 900 SQLSTATE 42000 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:338772 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
cfstoredproc timeout
Hi, I want to limit the total execution time of a stored procedure being called from Coldfusion using cfstoredproc to 90 seconds. With cfquery there is a parameter timeout, but there is no equivalent in cfstoredproc. Can anyone think of an alternative to accomplishing this. The trick is, I want to wrap the stored procedure call around a cftry block and create an empty query if the procedure times out. Thanks, Asaf ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333251 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: cfstoredproc timeout
I want to limit the total execution time of a stored procedure being called from Coldfusion using cfstoredproc to 90 seconds. With cfquery there is a parameter timeout, but there is no equivalent in cfstoredproc. Can anyone think of an alternative to accomplishing this. The trick is, I want to wrap the stored procedure call around a cftry block and create an empty query if the procedure times out. You can often call stored procedures using CFQUERY. If your stored procedure doesn't return multiple recordsets, that might be a good approach. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsit ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:333252 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFSTOREDPROC kind of sucks
That is very nice Brad. Thanks for that perspective. First of all, it is my preference to explicitly check for an existing duplicate value prior to insertion instead of allowing SQL server to throw the error. The column constraint is my fall-back. Either way, if you want your stored procedures to be able to pass back useful information about problems or successes it encountered, I would recommend using the return code and an @outputMessage output variable. Your proc can test for the condition and set the output message into an output variable and return the desired code. This way, if the database driver provider or DBMS itself ever changes their error codes in a future version it won't bork your code. CREATE PROCEDURE myProc @outputMessage varchar(255) OUTPUT, @input1 int, @input2 int AS BEGIN IF badCondition is true BEGIN SET @outputMessage = 'Here is a detailed and useful error message' RETURN 75 -- Your special code for this error END -- otherwise... SET @outputMessage = 'Execution Successful' RETURN 0 END The cfstoredproc tag give you the return code, and you can then check it for whatever problems may have occurred. You can then use the value of @outputMessage to return to the user if you so choose. ~Brad ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325780 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFSTOREDPROC kind of sucks
Three issues that come to mind: You've really only listed two issues. Cannot access transaction errors because a coldfusion exception is thrown so any validation exceptions must be handled through cftry/cfcatch instead of the CFSTOREDPROC. If en error occurs in SQL, it means coldfusion throws an error too. This is (a) in keeping with how CF deals with database errors generally, and (b) pretty much ideal. What would you suggest CFSTOREDPROC do, other than swallow the database error? There's no place within CFSTOREDPROC for additional conditional processing, really, so why not use exceptions? Of course, you can use the database-specific attributes within CFCATCH to figure out how to respond. dbvarname is completely useless. It would be nice to be able to send values across out of order or not send a value if it is not needed (NULL). It would also be nice to have those values in the debugging to reference. My understanding is that this is a limitation in JDBC, although I can't really say I've verified that for myself. But yeah, it would be nice to send name-value pairs. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325744 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFSTOREDPROC kind of sucks
Three issues that come to mind: Cannot access transaction errors because a coldfusion exception is thrown so any validation exceptions must be handled through cftry/cfcatch instead of the CFSTOREDPROC. If en error occurs in SQL, it means coldfusion throws an error too. dbvarname is completely useless. It would be nice to be able to send values across out of order or not send a value if it is not needed (NULL). It would also be nice to have those values in the debugging to reference. I have found a pretty good work around for the exception but still nothing for dbvarname. Discuss. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325743 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFSTOREDPROC kind of sucks
According to LiveDocs, in MX 6 Changed the dbvarname attribute behavior: it is now ignored for all drivers. ColdFusion uses JDBC 2.2 and does not support named parameters. Thanks, Eric Cobb http://www.cfgears.com Dave Watts wrote: Three issues that come to mind: You've really only listed two issues. Cannot access transaction errors because a coldfusion exception is thrown so any validation exceptions must be handled through cftry/cfcatch instead of the CFSTOREDPROC. If en error occurs in SQL, it means coldfusion throws an error too. This is (a) in keeping with how CF deals with database errors generally, and (b) pretty much ideal. What would you suggest CFSTOREDPROC do, other than swallow the database error? There's no place within CFSTOREDPROC for additional conditional processing, really, so why not use exceptions? Of course, you can use the database-specific attributes within CFCATCH to figure out how to respond. dbvarname is completely useless. It would be nice to be able to send values across out of order or not send a value if it is not needed (NULL). It would also be nice to have those values in the debugging to reference. My understanding is that this is a limitation in JDBC, although I can't really say I've verified that for myself. But yeah, it would be nice to send name-value pairs. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325746 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFSTOREDPROC kind of sucks
On Wed, Aug 26, 2009 at 2:14 PM, Tony Bentleyt...@tonybentley.com wrote: dbvarname is completely useless. It would be nice to be able to send values across out of order or not send a value if it is not needed (NULL). It would also be nice to have those values in the debugging to reference. You can send a null cfprocparam cfsqltype=cf_sql_whatever value= null=yes or cfprocparam cfsqltype=cf_sql_whatever value=#myvar# null=#len(myvar) is 0# -- Rick Root CFFM - Open Source Coldfusion File Manager http://www.opensourcecf.com/cffm ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325747 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFSTOREDPROC kind of sucks
Sorry, only two issues really. A real world scenario is when a user tries to insert a value that must be unique in the database. If a duplicate is found, SQL can return a reference code and a message stating that there is a duplicate found, an exception is thrown and an id is passed back - RAISERROR @@ERROR. When this is thrown, the message states [Macromedia][SQLServer JDBC Driver] and then the RAISERROR message following. Nice for debugging but not so nice for passing the message and error code to a handler. I would really like to be able to use the error codes and have a handler method based on which code it passed back. Not really possible. Kind of hokey not to throw a SQL exception (and pass back a value instead) since you would want SQL Server to log the exception. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325748 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFSTOREDPROC kind of sucks
First of all, it is my preference to explicitly check for an existing duplicate value prior to insertion instead of allowing SQL server to throw the error. The column constraint is my fall-back. Either way, if you want your stored procedures to be able to pass back useful information about problems or successes it encountered, I would recommend using the return code and an @outputMessage output variable. Your proc can test for the condition and set the output message into an output variable and return the desired code. This way, if the database driver provider or DBMS itself ever changes their error codes in a future version it won't bork your code. CREATE PROCEDURE myProc @outputMessage varchar(255) OUTPUT, @input1 int, @input2 int AS BEGIN IF badCondition is true BEGIN SET @outputMessage = 'Here is a detailed and useful error message' RETURN 75 -- Your special code for this error END -- otherwise... SET @outputMessage = 'Execution Successful' RETURN 0 END The cfstoredproc tag give you the return code, and you can then check it for whatever problems may have occurred. You can then use the value of @outputMessage to return to the user if you so choose. ~Brad Original Message Subject: Re: CFSTOREDPROC kind of sucks From: Tony Bentley t...@tonybentley.com Date: Wed, August 26, 2009 3:04 pm To: cf-talk cf-talk@houseoffusion.com Sorry, only two issues really. A real world scenario is when a user tries to insert a value that must be unique in the database. If a duplicate is found, SQL can return a reference code and a message stating that there is a duplicate found, an exception is thrown and an id is passed back - RAISERROR @@ERROR. When this is thrown, the message states [Macromedia][SQLServer JDBC Driver] and then the RAISERROR message following. Nice for debugging but not so nice for passing the message and error code to a handler. I would really like to be able to use the error codes and have a handler method based on which code it passed back. Not really possible. Kind of hokey not to throw a SQL exception (and pass back a value instead) since you would want SQL Server to log the exception. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325749 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFSTOREDPROC kind of sucks
A real world scenario is when a user tries to insert a value that must be unique in the database. If a duplicate is found, SQL can return a reference code and a message stating that there is a duplicate found, an exception is thrown and an id is passed back - RAISERROR @@ERROR. When this is thrown, the message states [Macromedia][SQLServer JDBC Driver] and then the RAISERROR message following. Nice for debugging but not so nice for passing the message and error code to a handler. I would really like to be able to use the error codes and have a handler method based on which code it passed back. Not really possible. Kind of hokey not to throw a SQL exception (and pass back a value instead) since you would want SQL Server to log the exception. I don't understand the problem. Just return the exception, catch it with try/catch, and use the CFCATCH data to see the exception data. SQL Server will log the exception, and you can choose how to present it in CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325750 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFSTOREDPROC kind of sucks
On Wed, Aug 26, 2009 at 4:04 PM, Tony Bentleyt...@tonybentley.com wrote: When this is thrown, the message states [Macromedia][SQLServer JDBC Driver] and then the RAISERROR message following. Nice for debugging but not so nice for passing the message and error code to a handler. I would really like to be able to use the error codes and have a handler method based on which code it passed back. Not really possible. Kind of hokey not to throw a SQL exception (and pass back a value instead) since you would want SQL Server to log the exception. Have you tried dumping the cfcatch to see what's in there? I find that it often includes much more than the error message you see when not using try/catch... IE, there's a SQLSTATE value in there somewhere and some other stuff. -- Rick Root CFFM - Open Source Coldfusion File Manager http://www.opensourcecf.com/cffm ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325753 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Problem with CFSTOREDPROC
Hi everybody, I have a problem with cfstoredproc and Informix database, when I invoke a stored procedure by cfstoredproc, it returns me several columns with the same name (EXPRESSION) and repeat the value of first column. I am running CFMX 8.0.1 Enterprise, with Informix 9.40 and built-in driver, wich works great, but when i try to use CFMX 8.0.1 with JDBC 3.50 for IBM Informix cfstoredproc error occurs. I need this version of JDBC because I will upgrade to informix 11.50 and CFMX 8.0.1. This is the stored procedure... CREATE PROCEDURE admgcn.stpbacklog (unidad1 char(1)) returning char(10), char(12), char(12), char(30), char(7), char(1), char(40), char(30), char(8), int, varchar(255,0), varchar(255,0), varchar(255,0), char(1), char(40), char(12), char(8); define r_fecemision char(10); define r_numaviso like r3avisos.numaviso; define r_numorden like r3avisos.numorden; define r_ubicacion like r3avisos.ubicacion; define r_inop like r3otinopcd.noinop; define r_prior like r3avisos.prior; define r_descaviso like r3avisos.descaviso; define r_resp like r3avisosop.responsable; define r_numsem like r3avisosop.numsem; define r_porc like r3activ.porcentaje; define r_coment like r3avisosop.comentop; define r_solpeds like r3avisosop.solpeds; define r_comentab like r3avisosop.comentab; define r_repercusion like r3avisos.repercusion; define r_status like r3avisos.status; define r_pn like r3avisos.numaviso; define r_ptotrbres like r3avisos.ptotrbres; define valor int; let valor = 1; if (weekday(today) = 1) then let valor = 3; end if; begin set isolation to dirty read; foreach SELECT a.fecemision, a.numaviso, a.numorden, a.ubicacion, ao.inop, a.prior prioridad, a.descaviso descripcion, ao.responsable, ao.numsem, 0 porcentaje, nvl(trim(ao.comentop),'') comentop, nvl(trim(ao.solpeds),'') solpeds, nvl(trim(ao.comentab[1,234]), '') comentab, a.repercusion, a.status,trim((select a.numaviso from r3avisos avs where unaviso = unidad1 and status[1,4] 'MECE' and edodisp = '2' and prior is not null and a.numaviso = avs.numaviso)) PN, ptotrbres INTO r_fecemision, r_numaviso, r_numorden, r_ubicacion, r_inop, r_prior, r_descaviso, r_resp, r_numsem, r_porc, r_coment, r_solpeds, r_comentab, r_repercusion, r_status, r_pn, r_ptotrbres FROM r3avisos a, outer r3avisosop ao WHERE a.status[1,4] ('MECE') and a.prior in ('1', '2', '3', '4', '5') and (a.repercusion 'A' or a.repercusion is null) and a.claseaviso = 'AN' and ao.numaviso = a.numaviso and a.unaviso = unidad1 and a.numorden is null {and (DATE(TO_DATE(creado,'%d/%m/%Y')) = today - valor and DATE(TO_DATE(creado,'%d/%m/%Y')) = today)} UNION SELECT a.fecemision, a.numaviso, a.numorden, a.ubicacion, '', r3o.prioridad, r3o.descripcion, ao.responsable, r3o.pep numsem, r3a.porcentaje porcentaje, nvl(trim(ao.comentop),'') comentop, nvl(trim(ao.solpeds),'') solpeds, nvl(trim(ao.comentab[1,234]), '') comentab, a.repercusion, r3o.statussist,trim((select a.numaviso from r3avisos avs where unaviso = unidad1 and status[1,4] 'MECE' and edodisp = '2' and prior is not null and a.numaviso = avs.numaviso)) PN, r3o.ptotrbres FROM r3avisos a, outer r3avisosop ao, r3orden r3o, r3activ r3a WHERE r3o.statusus[1,4] 'CANC' and r3o.statussist[1,4] in ('LIBD','LIBE', 'ABIE') and r3o.prioridad in ('1', '2', '3', '4', '5') and (a.repercusion 'A' or a.repercusion is null) and r3o.claseorden = 'LV01' and r3o.claseact = 'N00' and a.unaviso = unidad1 and ao.numaviso = a.numaviso and a.numorden = r3o.numorden and r3a.numorden = a.numorden and r3a.porcentaje 100 and r3a.numope is not null UNION SELECT a.fecemision, a.numaviso, a.numorden, a.ubicacion, '', r3o.prioridad, r3o.descripcion, ao.responsable, r3o.pep numsem,0 porcentaje, nvl(trim(ao.comentop),'') comentop, nvl(trim(ao.solpeds),'') solpeds, nvl(trim(ao.comentab[1,234]), '') comentab, a.repercusion, r3o.statussist,trim((select a.numaviso from r3avisos avs where unaviso = unidad1 and status[1,4] 'MECE' and edodisp = '2' and prior is not null and a.numaviso = avs.numaviso)) PN, r3o.ptotrbres FROM r3avisos a, outer r3avisosop ao, r3orden r3o WHERE r3o.statusus[1,4] 'CANC' and r3o.statussist[1,4] in ('LIBD','LIBE', 'ABIE') and r3o.prioridad in ('1', '2', '3', '4', '5') and (a.repercusion 'A' or a.repercusion is null) and r3o.claseorden = 'LV01' and r3o.claseact = 'N00' and a.unaviso = unidad1 and ao.numaviso = a.numaviso and a.numorden = r3o.numorden
Re: Problem with CFSTOREDPROC
Try to reproduce the problem using only one database column and a three line database query. It is easier to troubleshoot three lines of SQL than 100 lines of SQL. -Mike Chabot On Sun, Jan 11, 2009 at 6:45 PM, Mauro Luna mlane...@cfe.gob.mx wrote: Hi everybody, I have a problem with cfstoredproc and Informix database, when I invoke a stored procedure by cfstoredproc, it returns me several columns with the same name (EXPRESSION) and repeat the value of first column. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:317745 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
cfqueryparam vs cfstoredproc?
Question... the more I read about CFQUERYPARAM the more it seems it mitigates many of the problems that using stored procedures also solves. I realize with stored procedures you have a lot more power in terms of SQL scripting, but for basic queries, is CFQUERYPARAM just as fast as (or faster than) running CFSTOREDPROC? For a CFSTOREDPROC vs CFQUERYPARAM debate what would be the better thans on each side of the argument? A few I can think of off the top of my head would be: Stored Procedures - can contain advanced SQL procedural code. Encapsulate code outside of you application for a layer of abstraction. CFQUERYPARAM - allows non-DBAs to take advantage of pre-compiled queries, providing speedier and more secured code. You can encapsulate much the same way a stored procedure does with CFCs. Would love to hear from others on the advantages/disadvantages of each Thanks! Marie keywords for searching: cfprocparam vs cfqueryparam, cfqueryparam vs cfprocparam, cfprocresult, cfquery, cftransaction, cfupdate, cfinsert ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314605 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfqueryparam vs cfstoredproc?
SQL in your CF code can be made dynamic more easily. The SP equivalent involves a SQL string and EXEC(). Not pretty. Adrian Building a database of ColdFusion errors at http://cferror.org/ -Original Message- From: Marie Taylore Sent: 30 October 2008 15:49 To: cf-talk Subject: cfqueryparam vs cfstoredproc? Question... the more I read about CFQUERYPARAM the more it seems it mitigates many of the problems that using stored procedures also solves. I realize with stored procedures you have a lot more power in terms of SQL scripting, but for basic queries, is CFQUERYPARAM just as fast as (or faster than) running CFSTOREDPROC? For a CFSTOREDPROC vs CFQUERYPARAM debate what would be the better thans on each side of the argument? A few I can think of off the top of my head would be: Stored Procedures - can contain advanced SQL procedural code. Encapsulate code outside of you application for a layer of abstraction. CFQUERYPARAM - allows non-DBAs to take advantage of pre-compiled queries, providing speedier and more secured code. You can encapsulate much the same way a stored procedure does with CFCs. Would love to hear from others on the advantages/disadvantages of each Thanks! Marie keywords for searching: cfprocparam vs cfqueryparam, cfqueryparam vs cfprocparam, cfprocresult, cfquery, cftransaction, cfupdate, cfinsert ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314607 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfqueryparam vs cfstoredproc?
We call stored procedures using cfqueryparam: cfquery datasource=DSN name=SomeQuery EXEC StoredProcName @ParamName = cfqueryparam cfsqltype=cf_sql_integer value=#session.value# /cfquery On Thu, Oct 30, 2008 at 10:49 AM, Marie Taylore [EMAIL PROTECTED]wrote: Question... the more I read about CFQUERYPARAM the more it seems it mitigates many of the problems that using stored procedures also solves. I realize with stored procedures you have a lot more power in terms of SQL scripting, but for basic queries, is CFQUERYPARAM just as fast as (or faster than) running CFSTOREDPROC? For a CFSTOREDPROC vs CFQUERYPARAM debate what would be the better thans on each side of the argument? A few I can think of off the top of my head would be: Stored Procedures - can contain advanced SQL procedural code. Encapsulate code outside of you application for a layer of abstraction. CFQUERYPARAM - allows non-DBAs to take advantage of pre-compiled queries, providing speedier and more secured code. You can encapsulate much the same way a stored procedure does with CFCs. Would love to hear from others on the advantages/disadvantages of each Thanks! Marie keywords for searching: cfprocparam vs cfqueryparam, cfqueryparam vs cfprocparam, cfprocresult, cfquery, cftransaction, cfupdate, cfinsert ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314608 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfqueryparam vs cfstoredproc?
The only issue I have run into with CFQUERYPARAM is that is can degrade performance on dynamic queries. This is an inherent issue in what CFQUERYPARAM does, it essentially makes your queries into stored procs, if you actually watch the traffic flow through a MS SQL Server for example, you will see your app is actually calling what appear to be stored procs. The performance issue manifest when your query has dynamic bits, such as the following example: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = cfqueryparam cfsqltype=CF_SQL_INTEGER value=#Session.ClientCode# cfif IsDefined(Form.FnameFilter) AND Fname = cfqueryparam cfsqltype=CF_SQL_VARCHAR value=#Form.FnameFilter# /cfif cfif IsDefined(Form.LnameFilter) AND Lname = cfqueryparam cfsqltype=CF_SQL_VARCHAR value=#Form.LnameFilter# /cfif The first time CF processes this query, it creates some sort of memory based or temporary stored proc for it based on the structure of the query as it was run in this instance. It builds up an image of the query based on the CFQUERYPARAMS used. Now if the next time the query is executed one or more of the IF statements has a different result, thus including or excluding one or more, then CF has to recompile the temporary stored proc. This can cause a small performance loss. In some performance tuning I did on an app earlier this year, I had 1 query that was executed several thousand times in a long looping process. Nearly every time it was hit it was different and forced a recompile. I removed all of the CFQUERYPARAMs from it and it's average execution time went from 350ms to 10ms. Obviously, if this is a query that only executes occasionally, the difference between 350ms and 10 ms is nothing to worry about, but over millions of executions a day, it adds up. =] -- Alan Rother Adobe Certified Advanced ColdFusion MX 7 Developer Manager, Phoenix Cold Fusion User Group, AZCFUG.org ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314609 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfqueryparam vs cfstoredproc?
Marie, In my experience with SQL Server there is zero notable performance difference between well-formed SQL in a stored proc and the same well-formed SQL in a CFQUERY with CFQUERYPARAM: both gain from the built-in performance tuning of the data server. Also, note that you can run nearly any code directly between the CFQUERY tags that you could put in a stored proc. Yes, you can do multi-statement (just end each with ; like normal) and you can do cursors and you can declare database vars, all within a query in CFQUERY. As to which is better, in my opinion that depends primarily on who's responsible for writing the database calls. As a developer who also writes and optimizes the DB calls, I love having all my code in one searchable library = my CFML pages. If I need to change a data structure, then all changes, both code and DB side, can be found in a single codebase search and changed all at once and checked into one version control system (my CFM repository). On the other hand, if you have a separate person / group doing the DB work, it probably makes more sense to let them live in the stored proc world, especially if they're more comfortable there. HTH ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314610 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfqueryparam vs cfstoredproc?
Original Message Subject: cfqueryparam vs cfstoredproc? From: Marie Taylore [EMAIL PROTECTED] I realize with stored procedures you have a lot more power in terms of SQL scripting, This is not really true. You can put anything you want in a cfquery block. temp tables, CTE's, sp_commandshell, you name it. Procedures to not implicitly allow for any additional functionality other than the possibility of being called easily from other parts of your database. but for basic queries, is CFQUERYPARAM just as fast as (or faster than) running CFSTOREDPROC? There are no significant performance differences between running the same piece of sql as a paramaterized cfquery, or as a stored procedure. The biggest difference, is the amount of text that gets sent over the wire to the SQL server. select * from ... vs execute sp_etc Stored Procedures - can contain advanced SQL procedural code. Like above, your stored proc can't do anything your inline query can't Encapsulate code outside of you application for a layer of abstraction. Now, you're talking. This is, in my opinion, one of the most useful features of stored procs. This is most readily apparent if your app does not use some form of data abstraction layer like DAOs. Additionally, if you have business logic in your SQL, (which is common though I recommend against it) placing that logic in a proc would make it possible for another process (Java, .NET, etc.) to reuse it at the database level. I have worked on applications where the basic API was comprised of hundreds of stored procedures full of business logic. CFQUERYPARAM - allows non-DBAs to take advantage of pre-compiled queries, providing speedier and more secured code. You can encapsulate much the same way a stored procedure does with CFCs. Speedier than an ad-hoc query perhaps. Watch out for blanket statements about paramaterized performance though: http://www.codersrevolution.com/index.cfm/2008/7/26/cfqueryparam-its-not-just-for-security-also-when-NOT-to-use-it Wrapping data access in a CFC is my preferred method of abstracting and reusing SQL in my application, however that is really a CFC vs Proc thing and not a cfqueryparam vs proc conversation. Would love to hear from others on the advantages/disadvantages of each I like stored procs for reusability and organization (SQL code is easier to read and edit in a SQL IDE as opposed to a CF IDE). I however, do not use them for security nor performance. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314612 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfqueryparam vs cfstoredproc?
Let's hope you don't ever need to handle more than one result set. :) Also, that requires you get the return code manually as well. ~Brad Original Message Subject: Re: cfqueryparam vs cfstoredproc? From: morgan l [EMAIL PROTECTED] We call stored procedures using cfqueryparam: cfquery datasource=DSN name=SomeQuery EXEC StoredProcName @ParamName = cfqueryparam cfsqltype=cf_sql_integer value=#session.value# /cfquery ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314614 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfqueryparam vs cfstoredproc?
Alan, SQL Server will create an execution plan for each query that gets run, where the plan is specific to the final Query definition. From SQL Server's perspective, these are 2 different queries, so each gets its own plan: Query with both names: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = @param1 AND Fname = @param2 AND Lname = @param3 Query with last name only: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = @param1 AND Lname = @param2 So, every query I run with only a Last Name filter will re-use that 2nd query plan, and that increases performance. Without using CFQUERYPARAM at all, every instance of the query is 'new' and that should (in theory) kill your performance, not boost it. In other words, the following queries would have the same plan with params but are each 'new' and distinct without params: Query with last name only: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = '1234' AND Lname = 'Smith' Query with last name only: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = '1234' AND Lname = 'Johnson' I'd be curious to see what the Analyzer had to say on the DB server side about the query plans for running several hundred unique queries vs several hundred recurrences of a few plans. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314615 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfqueryparam vs cfstoredproc?
Interesting... I thought the same thing until I ran these tests. I analyzed the results with ColdFusion debugging output, the Server Monitor in CF8 Ent, SeeFusion, and watched them execute through SQL Profiler, all of them showed better execution times when I removed the CFQUERYPARAMs. Now, this was on a limited subset of my queries. I would still argue that using it is far better than not. Most of the Queries I have used it in I did see a performance improvement in. =] On Thu, Oct 30, 2008 at 9:18 AM, Jason Fisher [EMAIL PROTECTED] wrote: Alan, SQL Server will create an execution plan for each query that gets run, where the plan is specific to the final Query definition. From SQL Server's perspective, these are 2 different queries, so each gets its own plan: Query with both names: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = @param1 AND Fname = @param2 AND Lname = @param3 Query with last name only: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = @param1 AND Lname = @param2 So, every query I run with only a Last Name filter will re-use that 2nd query plan, and that increases performance. Without using CFQUERYPARAM at all, every instance of the query is 'new' and that should (in theory) kill your performance, not boost it. In other words, the following queries would have the same plan with params but are each 'new' and distinct without params: Query with last name only: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = '1234' AND Lname = 'Smith' Query with last name only: SELECT ID, FName, LName, Email FROM SomeTable WHERE IsActive = 1 AND ClientCode = '1234' AND Lname = 'Johnson' I'd be curious to see what the Analyzer had to say on the DB server side about the query plans for running several hundred unique queries vs several hundred recurrences of a few plans. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314616 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfqueryparam vs cfstoredproc?
Interesting, indeed. Wonder if there's an issue of table scan vs index and how the initial execution plans are getting cached. Definitely something to keep your eye on! Interesting... I thought the same thing until I ran these tests. I analyzed the results with ColdFusion debugging output, the Server Monitor in CF8 Ent, SeeFusion, and watched them execute through SQL Profiler, all of them showed better execution times when I removed the CFQUERYPARAMs. Now, this was on a limited subset of my queries. I would still argue that using it is far better than not. Most of the Queries I have used it in I did see a performance improvement in. =] ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314618 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfqueryparam vs cfstoredproc?
Something of note... If you are using cfqueryparam all of the variables need to be bound. Leaving any variable hanging out there will not allow you to take advantage of the execution plan - even if it's a constant. This query cfquery SELECT col1,col2 FROMusers WHERE active = 1 AND userName = cfqueryparam cfsqltype=CF_SQL_CHAR value=bob /cfquery Will not pop the exec plan cache because the server will need to evaluate the 1 after active to type it as an int. To make it work it would need to be written as: cfquery SELECT col1,col2 FROMusers WHERE active = cfqueryparam cfsqltype=CF_SQL_INTEGER value=1/ AND userName = cfqueryparam cfsqltype=CF_SQL_CHAR value=bob /cfquery Of course the top query is quite safe from injection.. It just has no chance of hitting the cache. In addition, server configuration issues on the SQL server will determine how effective it is at hitting the cache. By default it does a pretty good job, but it can need adjusting... Say when there are a few hundred databases for example. -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Alan Rother [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2008 11:28 AM To: cf-talk Subject: Re: cfqueryparam vs cfstoredproc? Interesting... I thought the same thing until I ran these tests. I analyzed the results with ColdFusion debugging output, the Server Monitor in CF8 Ent, SeeFusion, and watched them execute through SQL Profiler, all of them showed better execution times when I removed the CFQUERYPARAMs. Now, this was on a limited subset of my queries. I would still argue that using it is far better than not. Most of the Queries I have used it in I did see a performance improvement in. =] ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314620 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfqueryparam vs cfstoredproc?
My 2 cents I use ORACLE stored procs exclusively (using a CFSTOREDPROC tag) and have found them to be great. There are things I can do in stored procs that would be difficult to do in a CFC. I can easily have multiple datasets returned in one call. And the CFPROCPARAM gives me the same benefits as CFQUERYPARAM. I'm a big believer in doing database things on the database and display stuff in the web server. I'll confess though that I don't use CF much anymore except for CFCs-- most everything I do is in Flex. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314621 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfqueryparam vs cfstoredproc?
An open question then... I have a function that takes optional arguments for each of the columns in a table like this: cffunction name=create cfset var separator = cfset var q = cfquery name=q datasource=#VARIABLES.DSN# INSERT INTO [comment] ( cfif StructKeyExists(ARGUMENTS, column1) #separator# [column1] cfset separator = , /cfif cfif StructKeyExists(ARGUMENTS, column2) #separator# [column2] cfset separator = , /cfif ) VALUES ( cfset separator = cfif StructKeyExists(ARGUMENTS, column1) #column1# cfqueryparam cfsqltype=CF_SQL_INTEGER value=#ARGUMENTS.column1# cfset separator = , /cfif cfif StructKeyExists(ARGUMENTS, column2) #separator# cfqueryparam cfsqltype=CF_SQL_INTEGER value=#ARGUMENTS.column2# cfset separator = , /cfif ) SELECT SCOPE_IDENTITY() [commentID] /cfquery cfreturn q.commentID /cffunction This allows me to do an insert with any combination of columns using named arguments: cfset myDOA.create(column1 = 123) cfset myDOA.create(column2 = 321) cfset myDOA.create(column1 = 123, column2 = 321) I have similar ones for updating, selecting and deleting. So, how best to replicate this using stored procedures? The place I'm working at the moment won't allow cfquery so I can't use my beautiful code generator :O( Adrian Building a database of ColdFusion errors at http://cferror.org/ -Original Message- From: Craigsell Sent: 30 October 2008 17:45 To: cf-talk Subject: Re: cfqueryparam vs cfstoredproc? My 2 cents I use ORACLE stored procs exclusively (using a CFSTOREDPROC tag) and have found them to be great. There are things I can do in stored procs that would be difficult to do in a CFC. I can easily have multiple datasets returned in one call. And the CFPROCPARAM gives me the same benefits as CFQUERYPARAM. I'm a big believer in doing database things on the database and display stuff in the web server. I'll confess though that I don't use CF much anymore except for CFCs-- most everything I do is in Flex. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314622 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfqueryparam vs cfstoredproc?
exec() or sp_executesql You would need to pass in the arguments as a list to the procedure and then do the looping and building of a dynamic query with SQL. Then execute what you have created. Good luck. Dynamic SQL isn't nearly as easy in SQL than CF. Also, you will have to take additional steps to paramaterize it. (requires sp_executesql) FYI: My advice assumes MS SQL. ~Brad Original Message Subject: RE: cfqueryparam vs cfstoredproc? From: Adrian Lynch [EMAIL PROTECTED] Date: Thu, October 30, 2008 1:06 pm To: cf-talk cf-talk@houseoffusion.com An open question then... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314623 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfqueryparam vs cfstoredproc?
Exactly, which kinda defeats the point I feel. I've got a few ways that I might try but for now I'm back to writing SPs. If anyone's interested, I have the full DAO code here: http://adrianlynch.co.uk/post.cfm?postID=21 Adrian Building a database of ColdFusion errors at http://cferror.org/ -Original Message- From: [EMAIL PROTECTED] Sent: 30 October 2008 18:28 To: cf-talk Subject: RE: cfqueryparam vs cfstoredproc? exec() or sp_executesql You would need to pass in the arguments as a list to the procedure and then do the looping and building of a dynamic query with SQL. Then execute what you have created. Good luck. Dynamic SQL isn't nearly as easy in SQL than CF. Also, you will have to take additional steps to paramaterize it. (requires sp_executesql) FYI: My advice assumes MS SQL. ~Brad Original Message Subject: RE: cfqueryparam vs cfstoredproc? From: Adrian Lynch [EMAIL PROTECTED] Date: Thu, October 30, 2008 1:06 pm To: cf-talk cf-talk@houseoffusion.com An open question then... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314629 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfqueryparam vs cfstoredproc?
I do you feel it would defeat the point? On Thu, Oct 30, 2008 at 2:19 PM, Adrian Lynch [EMAIL PROTECTED]wrote: Exactly, which kinda defeats the point I feel. I've got a few ways that I might try but for now I'm back to writing SPs. If anyone's interested, I have the full DAO code here: http://adrianlynch.co.uk/post.cfm?postID=21 Adrian Building a database of ColdFusion errors at http://cferror.org/ -Original Message- From: [EMAIL PROTECTED] Sent: 30 October 2008 18:28 To: cf-talk Subject: RE: cfqueryparam vs cfstoredproc? exec() or sp_executesql You would need to pass in the arguments as a list to the procedure and then do the looping and building of a dynamic query with SQL. Then execute what you have created. Good luck. Dynamic SQL isn't nearly as easy in SQL than CF. Also, you will have to take additional steps to paramaterize it. (requires sp_executesql) FYI: My advice assumes MS SQL. ~Brad Original Message Subject: RE: cfqueryparam vs cfstoredproc? From: Adrian Lynch [EMAIL PROTECTED] Date: Thu, October 30, 2008 1:06 pm To: cf-talk cf-talk@houseoffusion.com An open question then... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314630 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfqueryparam vs cfstoredproc?
erf ... I meant Why do you feel it would defeat the point? On Thu, Oct 30, 2008 at 2:51 PM, Aaron Rouse [EMAIL PROTECTED] wrote: I do you feel it would defeat the point? On Thu, Oct 30, 2008 at 2:19 PM, Adrian Lynch [EMAIL PROTECTED]wrote: Exactly, which kinda defeats the point I feel. I've got a few ways that I might try but for now I'm back to writing SPs. If anyone's interested, I have the full DAO code here: http://adrianlynch.co.uk/post.cfm?postID=21 Adrian Building a database of ColdFusion errors at http://cferror.org/ -Original Message- From: [EMAIL PROTECTED] Sent: 30 October 2008 18:28 To: cf-talk Subject: RE: cfqueryparam vs cfstoredproc? exec() or sp_executesql You would need to pass in the arguments as a list to the procedure and then do the looping and building of a dynamic query with SQL. Then execute what you have created. Good luck. Dynamic SQL isn't nearly as easy in SQL than CF. Also, you will have to take additional steps to paramaterize it. (requires sp_executesql) FYI: My advice assumes MS SQL. ~Brad Original Message Subject: RE: cfqueryparam vs cfstoredproc? From: Adrian Lynch [EMAIL PROTECTED] Date: Thu, October 30, 2008 1:06 pm To: cf-talk cf-talk@houseoffusion.com An open question then... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314631 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfqueryparam vs cfstoredproc?
EXEC()ing a string won't produde the same execution plan as the base SQL (--- a guess) and you lose cfqueryparam and cfprocparam's biggest benefit, protecting against injection. Adrian -Original Message- From: Aaron Rouse Sent: 30 October 2008 19:52 To: cf-talk Subject: Re: cfqueryparam vs cfstoredproc? I do you feel it would defeat the point? On Thu, Oct 30, 2008 at 2:19 PM, Adrian Lynch [EMAIL PROTECTED]wrote: Exactly, which kinda defeats the point I feel. I've got a few ways that I might try but for now I'm back to writing SPs. If anyone's interested, I have the full DAO code here: http://adrianlynch.co.uk/post.cfm?postID=21 Adrian Building a database of ColdFusion errors at http://cferror.org/ -Original Message- From: [EMAIL PROTECTED] Sent: 30 October 2008 18:28 To: cf-talk Subject: RE: cfqueryparam vs cfstoredproc? exec() or sp_executesql You would need to pass in the arguments as a list to the procedure and then do the looping and building of a dynamic query with SQL. Then execute what you have created. Good luck. Dynamic SQL isn't nearly as easy in SQL than CF. Also, you will have to take additional steps to paramaterize it. (requires sp_executesql) FYI: My advice assumes MS SQL. ~Brad Original Message Subject: RE: cfqueryparam vs cfstoredproc? From: Adrian Lynch [EMAIL PROTECTED] Date: Thu, October 30, 2008 1:06 pm To: cf-talk cf-talk@houseoffusion.com An open question then... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314632 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfqueryparam vs cfstoredproc?
Ok, makes sense. We use a CFC here that I built a long time ago that builds insert/update queries based upon the database's meta data. It puts in the cfqueryparams and does data validation prior to that. While the cfqueryparams were put in for those very reasons, the seen benefit by anyone using it is the fact they no longer have to write those queries. They just pass in typically the form structure, an action flag and the table name then it does the rest. I could see them still liking an SP that did it then the wrapper for the SP would need all the appropriate checks on the data coming in to hopefully avoid the possibility of a SQL injection attack. On Thu, Oct 30, 2008 at 2:57 PM, Adrian Lynch [EMAIL PROTECTED]wrote: EXEC()ing a string won't produde the same execution plan as the base SQL (--- a guess) and you lose cfqueryparam and cfprocparam's biggest benefit, protecting against injection. Adrian -Original Message- From: Aaron Rouse Sent: 30 October 2008 19:52 To: cf-talk Subject: Re: cfqueryparam vs cfstoredproc? I do you feel it would defeat the point? On Thu, Oct 30, 2008 at 2:19 PM, Adrian Lynch [EMAIL PROTECTED]wrote: Exactly, which kinda defeats the point I feel. I've got a few ways that I might try but for now I'm back to writing SPs. If anyone's interested, I have the full DAO code here: http://adrianlynch.co.uk/post.cfm?postID=21 Adrian Building a database of ColdFusion errors at http://cferror.org/ -Original Message- From: [EMAIL PROTECTED] Sent: 30 October 2008 18:28 To: cf-talk Subject: RE: cfqueryparam vs cfstoredproc? exec() or sp_executesql You would need to pass in the arguments as a list to the procedure and then do the looping and building of a dynamic query with SQL. Then execute what you have created. Good luck. Dynamic SQL isn't nearly as easy in SQL than CF. Also, you will have to take additional steps to paramaterize it. (requires sp_executesql) FYI: My advice assumes MS SQL. ~Brad Original Message Subject: RE: cfqueryparam vs cfstoredproc? From: Adrian Lynch [EMAIL PROTECTED] Date: Thu, October 30, 2008 1:06 pm To: cf-talk cf-talk@houseoffusion.com An open question then... ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:314633 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFMX 7 - Oracle CLOB / cfstoredproc
I was having the same issue. I was getting a clob back and then couldn't figure out out to get the content to display. One of our Java guys helped me figure this out. So what I learned is that a CLOB is an object and there are a lot of attributes to it, including the actual character values which is really what you want in the end. That little output you saw is the object's string identifier. So in Coldfusion, to get the character set we had to create a Java string object and pass the clob into the constructor. It seems the constructor recoginizes that the value is a clob and when it creates the string it assigns the char set as the value. The end code was (using your example): cfset x = CreateObject(java,java.lang.String).init(myXMLOutput) cfoutput#x#/cfoutput - Gert Franz wrote: Did you check whether Oracle executes the storedproc? You could use the monitorin tool for that while cfm executes. what happens if you call the function directly inside a cfquery tag and dump the result? Just try to fill a variable without . notation eg myXMLOutput. After that, i have no ideas... :-) good luck Greetings / Grüsse Gert Franz Customer Care Railo Technologies GmbH [EMAIL PROTECTED] www.railo.ch Join our Mailing List / Treten Sie unserer Mailingliste bei: deutsch: http://de.groups.yahoo.com/group/railo/ english: http://groups.yahoo.com/group/railo_talk/ Mike Garner schrieb: I have been messing with this issue all day - searched around without much success. Here's the issue, we are on Oracle 10g R2. We upgraded our JDBC driver to 3.5. I am now trying to get the following test code to work (test.xml is a simple xml file): ** cffile action=Read file=C:\testing\Test.xml variable=variables.myXMLInput cfstoredproc procedure=TESTCLOB datasource=MYDNS cfprocparam cfsqltype=CF_SQL_CLOB type=In value=#variables.myXMLInput# cfprocparam cfsqltype=CF_SQL_CLOB type=Out variable=variables.myXMLOutput /cfstoredproc cfoutput#variables.myXMLOutput#/cfoutput ** The stored procedure is just copying the value passed in into the output variable. I've tested the procedure through PL/SQL developer and it works fine. The output of the above test code is this: [EMAIL PROTECTED] I realize what this is - the default ToString of a Java object - the address changes every time I refresh. The question is, how do I get to the value of the CLOB from this variable? I've tried to do a CFDUMP of the variable, but it actually causes CF to crash. Through debugging I can see the input was handled correctly - just can't get to the output. Any help would be appreciated. Regards, MG ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:313900 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
Actually, I'm gonna pick on you again Dave and challenge this. (I'm hoping to add to my wall) If a someone is using MySQL ... Well, the original poster was asking about the current attack, which specifically targets MS SQL Server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309509 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
Do you mind if I blog about that part where you said Yeah, your right about that That's got to be good for my cf_streetCred (ha). I don't mind, no. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309510 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: writing protected CF with CFStoredProc
Excellent points! Thanks Dave, and everyone who took the time to reply to / read this thread. Moral lessons learned: 1) Don't go crazy with tightening security around SQL statements. Only secure the vulnerable; 2) Whenever possible, think of using native CF functions to simplify code. :-) BTW, Dave, do you have a Reader's Digest version of the CFTalk threads? There are so many good ideas flying around here that it is hard to keep up sometimes. It would be awesome if we could have the common problem discussions abstracted, condensed and posted for all to share. On Tue, Jul 22, 2008 at 8:15 PM, Dave Watts [EMAIL PROTECTED] wrote: Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery Well, first of all, in this case the stored procedure itself is handling validation. It's going to make sure that @aid and @bid are integers, and fail if they're not. In addition, in the above case, the parameters don't even contain CF variables! So, you don't really need to go any farther, as your current code is safe. As Mark just pointed out, if you did have actual CF variables in your statement, those would be vulnerable. The stored procedure itself isn't vulnerable, of course, but the CFQUERY tag would be unless you'd configured your database login so that it could only execute stored procedures. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309526 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
Actually, I'm gonna pick on you again Dave and challenge this. (I'm hoping to add to my wall) If a someone is using MySQL ... Well, the original poster was asking about the current attack, which specifically targets MS SQL Server. That might be true, but he didn't say that. He simply stated he had been asked to look at a possible sql injection attack. He stated he had heard that inline queries can cause injection attacks and asked if that syntax was safe. Given that information alone, I still think the answer is no. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309536 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
writing protected CF with CFStoredProc
Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 . /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309460 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
Why not pass both to the proc, then rewrite the proc so that rather than testing for it's existence, you're testing for whether or not it's blank? -Original Message- From: Qing Xia [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 9:21 AM To: CF-Talk Subject: writing protected CF with CFStoredProc Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 .. /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309461 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
Yup, you're making sense. The way around it is to pass NULL in using: cfprocparam null=true Adrian -Original Message- From: Qing Xia [mailto:[EMAIL PROTECTED] Sent: 22 July 2008 15:21 To: CF-Talk Subject: writing protected CF with CFStoredProc Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 .. /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309462 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: writing protected CF with CFStoredProc
What's wrong with using: cfquery ... exec sps_testproc cfif whichvar = A @aid=cfqueryparam value=123 cfsqltype=cf_sql_integer cfelse @bid=cfqueryparam value=456 cfsqltype=cf_sql_integer /cfif /cfquery ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: writing protected CF with CFStoredProc
Oh yeah, you are right, of course. There is no NULL in CF so if I do a Value=NULL that will only confuse SQL. Cool, thanks! On Tue, Jul 22, 2008 at 10:27 AM, Adrian Lynch [EMAIL PROTECTED] wrote: Yup, you're making sense. The way around it is to pass NULL in using: cfprocparam null=true Adrian -Original Message- From: Qing Xia [mailto:[EMAIL PROTECTED] Sent: 22 July 2008 15:21 To: CF-Talk Subject: writing protected CF with CFStoredProc Hello folks: The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 .. /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? Any thoughts and/or suggestions? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309465 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: writing protected CF with CFStoredProc
True! I can certainly do this as well. On Tue, Jul 22, 2008 at 10:40 AM, morgan l [EMAIL PROTECTED] wrote: What's wrong with using: cfquery ... exec sps_testproc cfif whichvar = A @aid=cfqueryparam value=123 cfsqltype=cf_sql_integer cfelse @bid=cfqueryparam value=456 cfsqltype=cf_sql_integer /cfif /cfquery ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309466 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: writing protected CF with CFStoredProc
In your example you are altering the behavior of the query based upon input which does not affect injection attacks. The idea of protecting against injection attacks is to stop invalid values from being executed within the query/SP. Take for example this query: delete from customer where customerId = 1 if this query were parameterized from CF without cfqueryparam you would have: delete from customer where customerId = #customerId# If someone were trying to inject sql they could inject 1;drop customers; as the parameter and without the queryparam, it would be executed literally as the following and drop the customers table: delete from customer where lastname = 1; drop customers; To prevent this we utilize cfqueryparam which parameterizes the query that is passed. As I understand it, this informs the database that the value being passed is of a specific datatype. So in the previous example: delete from customer where customerId = cfqueryparam value=#customerId# cfsqltype=cf_sql_integer null=false / In essense, the database sees this as: declare @custId int set @custId = 1 delete from customer where customerId = @custId This has the benefit of not allowing the additional SQL to be injected, and I just learned recently, it also creates a parameterized query which on SQL server creates a cached query execution plan, minimially increasing performance. HTH, Rich ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309467 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
cfquery and cfstoredproc
i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Thanks! Tim ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309477 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
Yes you are vulnerable if you do not sanitize the inputs. Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Tim Do [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 2:28 PM To: CF-Talk Subject: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Thanks! Tim ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309478 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
As you have heard, cfquery is vulnerable to sql injection attacks, so you have to do something. You will hear that cfqueryparam is the best practice for protecting against sql injection attacks, and there is certainly truth to that. However, there are also costs associated with cfqueryparam. (Depending on the version of CF, cfqueryparam disables cachedwithin caching. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. This last issue is nearly a show stopper for me.) The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. (Using the value of a function call or other expression in a cfquery can lead to problems, possibly depending on the version of CF you are using. The problems are due to the weird way that CF doubles single quotes in variable values automatically.) BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, but I do know that single quotes there will not work. (It is not valid SQL.) So, code that takes ORDER BY clause elements from url parameters are much tougher to protect and I think should be avoided. Thanks Mark -Original Message- From: Tim Do [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:28 PM To: CF-Talk Subject: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Thanks! Tim ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309479 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
(Depending on the version of CF, cfqueryparam disables cachedwithin caching. This is true, but it doesn't prevent you from baking your own caching mechanism as many have done. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. Please explain what you mean. Are you saying you can't run a trace and see your SQL running. That is certainly not true. It may complicate seeing the valuf of your input parameters. peronally I use SeeFusion to watch my SQL traffic. I can debug a single users's IP and it shows me all the parameters being passed in. The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. Now you have: http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-escape-on-mysql BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, I outlined what I believe to be the only way to this here: http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309480 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
A couple of approaches to order by http://www.coldfusionmuse.com/index.cfm/2008/7/21/SQL-injection-using-order- by Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:46 PM To: CF-Talk Subject: Re: cfquery and cfstoredproc (Depending on the version of CF, cfqueryparam disables cachedwithin caching. This is true, but it doesn't prevent you from baking your own caching mechanism as many have done. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. Please explain what you mean. Are you saying you can't run a trace and see your SQL running. That is certainly not true. It may complicate seeing the valuf of your input parameters. peronally I use SeeFusion to watch my SQL traffic. I can debug a single users's IP and it shows me all the parameters being passed in. The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. Now you have: http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe- SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-escape-o n-mysql BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, I outlined what I believe to be the only way to this here: http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-N OT-protect-me ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309482 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
I've used this function to view the SQL with the param data in place. cffunction name=executedSQL cfargument name=result cfset var LOCAL = {} cfset LOCAL.sqlString = ARGUMENTS.result.sql cfif StructKeyExists(ARGUMENTS.result, sqlParameters) cfset LOCAL.params = ARGUMENTS.result.sqlParameters cfloop array=#LOCAL.params# index=LOCAL.param cfif NOT IsNumeric(LOCAL.param) cfset LOCAL.param = ' LOCAL.param ' /cfif cfset LOCAL.sqlString = ReplaceNoCase(LOCAL.sqlString, ?, LOCAL.param, ONE) /cfloop /cfif cfreturn pre LOCAL.sqlString /pre /cffunction cfquery name=testQuery datasource=yourDS result=r SELECT * FROM myTable WHERE myColumn = cfqueryparam cfsqltype=CF_SQL_INTEGER value=#someVar# AND myOtherColumn = cfqueryparam cfsqltype=CF_SQL_VARCHAR value=#anotherVar# /cfquery cfoutput#executedSQL(r)#/cfoutput Adrian www.adrianlynch.co.uk -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: 22 July 2008 21:46 To: CF-Talk Subject: Re: cfquery and cfstoredproc In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. Please explain what you mean. Are you saying you can't run a trace and see your SQL running. That is certainly not true. It may complicate seeing the valuf of your input parameters. peronally I use SeeFusion to watch my SQL traffic. I can debug a single users's IP and it shows me all the parameters being passed in. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309481 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
Hi Brad Thanks for the links, those are interesting articles. The problem with MS SQL Profiler and cfqueryparam is that the sql that arrives at the sql server replaces the literal sql with something like sp_exec 72 (I forget the actual sp name) followed by the parameters (which are easily visible); the 72 is all that identifies the actual sql statement and there is no way to convert 72 into the actual sql statement... the id is valid only within the current connection. I use SQL profiler to find slow queries coming from anywhere in the network, including the multiple web servers and other processes that run our web site. It also shows lots of SQL server internal stats which make debugging slow queries much, much easier... just having execution times is not always helpful, and seeing all of the concurrently running queries is pretty much required for complex cases. What stinks is that all Adobe has to do is provide an alternative mode for cfqueryparam that does not use binding (but does do other required data validation), and I could enable it as I see fit. Then everyone in the world could agree that cfqueryparam is great and should be used in all cases. (I know, I know... implementing the required validation is easier said than done. I didn't say it would be trivial to do.) The other potential fix that I would absolutely live with is if the sp_exec 72... SQL included a SQL comment that showed a form of the original query. That would be enough for me to go on. This kind of change would almost certainly require changes at or near the JDBC call layer so, unless I can swap in a different JDBC driver, there isn't much hope of doing this independently of Adobe. (Actually, it looks like it is possible to use non-standard JDBC drivers... Hmm... I wonder what kind of trouble I can get myself into with this capability.) BTW, that MySQL hack with quoted back ticks sounds like hell. I'm not trying to start a MS SQL vs MySQL thing here, but damn, that really sucks and probably makes a ton of web sites vulnerable. (And yes, this does provide an example of when back ticks are insufficient, so now I know.) Thanks for the info. Mark -Original Message- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 4:46 PM To: CF-Talk Subject: Re: cfquery and cfstoredproc (Depending on the version of CF, cfqueryparam disables cachedwithin caching. This is true, but it doesn't prevent you from baking your own caching mechanism as many have done. In all versions of CF, cfqueryparam effectively makes Sql Profiling with SQL Server useless and there is no workaround. Please explain what you mean. Are you saying you can't run a trace and see your SQL running. That is certainly not true. It may complicate seeing the valuf of your input parameters. peronally I use SeeFusion to watch my SQL traffic. I can debug a single users's IP and it shows me all the parameters being passed in. The code you show below puts single quotes around simple CF variables, and in my book that provides pretty good protection from sql injection attacks. I have not yet heard of a case/argument that shows that the single quote method, when used with simple CF variables, is not safe. Now you have: http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-s afe-SQL-Injection-and-MySQL http://www.coldfusionmuse.com/index.cfm/2008/5/16/disable-backslash-esca pe-on-mysql BTW, I do not know if there is a way to safely use a CF variable as part of an ORDER BY clause, I outlined what I believe to be the only way to this here: http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfquerypar am-NOT-protect-me ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309486 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
Thanks Adrian. That's cool. however, it is not useful DURING the execution of the SQL though correct? ~Brad - Original Message - From: Adrian Lynch [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, July 22, 2008 3:51 PM Subject: RE: cfquery and cfstoredproc I've used this function to view the SQL with the param data in place. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309487 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
I see. Thanks for the clarification on the Profiler stuff. Unfortunately, I don't MSSQL in front of me to play with it right now. I give SeeFusion two thumbs way up on monitoring your SQL traffic and run times. (it incorporates a JDBC URL wrapper) I use a custom monitor I wrote for SQL server 2005 that gets the execution plans for me of my running SQL that I tied into the SeeFusion API. If I see a spike on the server, I can see who is doing it, what page they are on, what line of SQL is executing and what their execution plan is all at once. ~Brad - Original Message - From: Gaulin, Mark [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, July 22, 2008 4:34 PM Subject: RE: cfquery and cfstoredproc Hi Brad Thanks for the links, those are interesting articles. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309489 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Yes you are vulnerable if you do not sanitize the inputs. Actually, generally you won't be vulnerable here. You're calling a stored procedure, which is going to take your inputs and stick them in input parameters. As long as you're not executing strings directly in your stored procedure (using EXEC, EXECUTE, sp_executesql, etc) you'll be fine. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309491 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
Dave, What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:50 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Yes you are vulnerable if you do not sanitize the inputs. Actually, generally you won't be vulnerable here. You're calling a stored procedure, which is going to take your inputs and stick them in input parameters. As long as you're not executing strings directly in your stored procedure (using EXEC, EXECUTE, sp_executesql, etc) you'll be fine. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309492 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? It wouldn't allow any of the values after the stored procedure call storedproc to run as code, because they would be placed in the input parameters of the stored procedure. Essentially, this has the same effect as parameterizing your query in CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309493 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
So I'm hearing that it should be fine?? Somehow their database columns values were appended the following string : /titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- So for example the column firstname value was John became: John/titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- What else could have caused this? Like you said the parameters are in single quotes and the data type is varchar so it must have a single quote in order to work. I'm confused... -Original Message- From: Mark Kruger [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 3:52 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc Dave, What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 5:50 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc i have been asked to look at a possible sql injection attack. as I look through the code I see stored procs being called by using cfquery like: cfquery name=asdf datasource=asdf storedproc '#var1#', '#var2#' cfquery I've read about using cfstored procs and params to prevent attacks. I've read that using cfquery and doing inline queries can cause injection attacks but I wasn't sure about using cfquery and calling a stored proc through it. Can somebody please confirm? Yes you are vulnerable if you do not sanitize the inputs. Actually, generally you won't be vulnerable here. You're calling a stored procedure, which is going to take your inputs and stick them in input parameters. As long as you're not executing strings directly in your stored procedure (using EXEC, EXECUTE, sp_executesql, etc) you'll be fine. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309494 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
So I'm hearing that it should be fine?? Somehow their database columns values were appended the following string : /titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- So for example the column firstname value was John became: John/titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- What else could have caused this? Like you said the parameters are in single quotes and the data type is varchar so it must have a single quote in order to work. I'm confused... The specific attack in question looks for numeric inputs, not character inputs. So, my guess is that you have some other unparameterized query that is being called by the attack. I recommend you examine your codebase to find unparameterized queries. I found this tool, mentioned here by others, to be very helpful for this: http://qpscanner.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309495 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
The discussion yesterday regarding using CFqueryparam to protect sites from SQL Injection attacks got me thinking. Well, it is easy enough to use CFQUERYPARAM everywhere inside CFQUERY tags, wherever a variable is passed to the SQL query. However, how do you do that with CFStoredProc? If I understand correctly, if you want to protect calls to stored procs (from SQL injection and the like), you have to use cfstoredproc and cfprocparam instead of cfquery and cfqueryparam. But apparently, you can't indicate what parameters you're actually passing. Am I missing something? Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery Well, first of all, in this case the stored procedure itself is handling validation. It's going to make sure that @aid and @bid are integers, and fail if they're not. In addition, in the above case, the parameters don't even contain CF variables! So, you don't really need to go any farther, as your current code is safe. If I was using CFSTOREDPROC, I might write this: cfstoredproc procedure=sps_testproc... cfprocparam type=in cfsqltype=cf_sql_integer value=123 . /cfstoredproc See my problem? In my proc example, we don't need to know which of the two params is going to be passed to it. In the CFQUERY, I use that to pass one param or the other depending on something else (the value of whichvar). But as far as I can tell, CFSTOREDPROC doesn't let me tell it which parameter I'm passing -- presumably it wants all parameters, in order. So maybe I need something like this: cfstoredproc procedure=sps_testproc... cfif whichvar=A cfprocparam type=in cfsqltype=cf_sql_integer value=123 cfprocparam type=in cfsqltype=cf_sql_integer value=null cfelse cfprocparam type=in cfsqltype=cf_sql_integer value=null cfprocparam type=in cfsqltype=cf_sql_integer value=456 /cfstoredproc That kind of sucks, right? Am I making any sense? CF 5 and earlier used the DBVARNAME attribute to specify which one is which. My understanding is that JDBC doesn't support this, so CF no longer supports this either. However, I'm not knowledgeable enough about JDBC to confirm this, so maybe it's a DataDirect-specific issue. In any case, you need to send parameters in the order that they're expected by the stored procedure. That said, you can send NULLs to each parameter that allows it, and you could simplify the above code: cfstoredproc ... cfprocparam type=in cfsqltype=cf_sql_integer value=123 null=#YesNoFormat(whichvar neq A)# cfprocparam type=in cfsqltype=cf_sql_integer value=456 null=#YesNoFormat(whichvar eq A)# /cfstoredproc Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309496 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
Dave, I never disagree with you (usually a fools errand) but I want a clarification. I think you might mean that this particular use is safe because CF will escape the single quotes. But the code below is vulnerable in exactly the same as a CFQUERY. As a test I created an SP - CREATE PROCEDURE dbo.sp_test @iObject varchar(200) as set nocount on select @iObject AS item Then I ran the following code: --- cfquery name=test datasource=test sp_test 'bob'; update coaches set name = 'Dave Watts' where coach_id = 1 /cfquery -- Both of these statements run and the coaches table was updated. So, yes it's protected in this case (because of escaping) but if the values were un sanitized integers it would be just as exposed as a regular query - right? If it looked like this: cfquery name=test datasource=test sp_test #bob_id# /cfquery I would be able to attack it I think. Probably not as easy to get the syntax right but... Still possible. Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 6:07 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc What about a semi-colon? Storedproc '#var1#','#var2#' ; *other code* Would the CFQUERY not allow this additional code to run? It wouldn't allow any of the values after the stored procedure call storedproc to run as code, because they would be placed in the input parameters of the stored procedure. Essentially, this has the same effect as parameterizing your query in CF. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309497 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
I never disagree with you (usually a fools errand) Ha! I wish. but I want a clarification. I think you might mean that this particular use is safe because CF will escape the single quotes. But the code below is vulnerable in exactly the same as a CFQUERY. As a test I created an SP - CREATE PROCEDURE dbo.sp_test @iObject varchar(200) as set nocount on select @iObject AS item Then I ran the following code: --- cfquery name=test datasource=test sp_test 'bob'; update coaches set name = 'Dave Watts' where coach_id = 1 /cfquery -- Both of these statements run and the coaches table was updated. Yeah, you're right about that. If you have a numeric value in your CFQUERY, it could be broken to also contain a string. The semicolon would turn the single original stored procedure call into an SQL batch containing the stored procedure and whatever your string contained. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309499 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: writing protected CF with CFStoredProc
Say you had a proc that looked like this: CREATE PROC sps_testproc @AID int = null, @BID int = null as IF @AID is not null SELECT @AID IF @AID is not NULL SELECT @BID If I was using CFQUERY, unprotected-style, I might write this: cfquery ... sps_testproc cfif whichvar = A @aid=123 cfelse @bid=456 /cfif /cfquery Well, first of all, in this case the stored procedure itself is handling validation. It's going to make sure that @aid and @bid are integers, and fail if they're not. In addition, in the above case, the parameters don't even contain CF variables! So, you don't really need to go any farther, as your current code is safe. As Mark just pointed out, if you did have actual CF variables in your statement, those would be vulnerable. The stored procedure itself isn't vulnerable, of course, but the CFQUERY tag would be unless you'd configured your database login so that it could only execute stored procedures. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309500 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfquery and cfstoredproc
So I'm hearing that it should be fine?? Somehow their database columns values were appended the following string : /titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- So for example the column firstname value was John became: John/titleInvalidTag src=http://1.verynx.cn/w.js;/script!-- What else could have caused this? Like you said the parameters are in single quotes and the data type is varchar so it must have a single quote in order to work. I'm confused... The specific attack in question looks for numeric inputs, not character inputs. So, my guess is that you have some other unparameterized query that is being called by the attack. I recommend you examine your codebase to find unparameterized queries. I found this tool, mentioned here by others, to be very helpful for this: http://qpscanner.riaforge.org/ As Mark pointed out, if you did have numeric inputs in your CFQUERY tag, those would still be vulnerable. If not, though, the rest of my statement still stands. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309501 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfquery and cfstoredproc
Dave, Do you mind if I blog about that part where you said Yeah, your right about that That's got to be good for my cf_streetCred (ha). -mk -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 22, 2008 7:14 PM To: CF-Talk Subject: RE: cfquery and cfstoredproc I never disagree with you (usually a fools errand) Ha! I wish. but I want a clarification. I think you might mean that this particular use is safe because CF will escape the single quotes. But the code below is vulnerable in exactly the same as a CFQUERY. As a test I created an SP - CREATE PROCEDURE dbo.sp_test @iObject varchar(200) as set nocount on select @iObject AS item Then I ran the following code: --- cfquery name=test datasource=test sp_test 'bob'; update coaches set name = 'Dave Watts' where coach_id = 1 /cfquery -- Both of these statements run and the coaches table was updated. Yeah, you're right about that. If you have a numeric value in your CFQUERY, it could be broken to also contain a string. The semicolon would turn the single original stored procedure call into an SQL batch containing the stored procedure and whatever your string contained. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309502 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfquery and cfstoredproc
I'll admit it. The first time Dave conceded I was right about something, it got printed out and stuck on my cubicle wall. Hey, I gotta' celebrate *something* :) ~Brad - Original Message - From: Mark Kruger [EMAIL PROTECTED] To: CF-Talk cf-talk@houseoffusion.com Sent: Tuesday, July 22, 2008 8:58 PM Subject: RE: cfquery and cfstoredproc Dave, Do you mind if I blog about that part where you said Yeah, your right about that That's got to be good for my cf_streetCred (ha). -mk ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309505 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfquery and cfstoredproc
As Mark pointed out, if you did have numeric inputs in your CFQUERY tag, those would still be vulnerable. If not, though, the rest of my statement still stands. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Actually, I'm gonna pick on you again Dave and challenge this. (I'm hoping to add to my wall) If a someone is using MySQL, they have allowMultiQueries set to true and have not changed the NO_BACKSLASH_ESCAPES from its default setting, the example given would still be vulnerable to SQL injection. I set it up an example locally just to make sure. I created this MySQL proc: CREATE PROCEDURE sp_test(input varchar(100)) BEGIN select input; END Then call it with the following CFML (The contents of the var variable could easily from from URL or FORM): cfset var = Hello World\'); update links set active = yes; -- cfquery name=test datasource=foo call sp_test('#var#'); /cfquery You will notice that the input to the proc was enclosed in single ticks, however SQL injection was still successful since MySQL allows for single ticks to be escaped with a backslash and CF doesn't prevent that. (That code updated all the records in my links table) The OP didn't specify, but IF he is on another BDMS like MS SQL he would be ok. however, I know MySQL is pretty common, and a lot of people run it in allowMultiQueries mode. ~Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309506 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
CFStoredProc
This should have been simple as making a PBJ. I am calling a SP (SQL Server 2005) using the CFStoredProc function and to get the result set returned as nextval. Basically it should return an interget value. cfstoredproc datasource=#application.datasource# procedure=usp_select_nextval cfprocparam type=In cfsqltype=CF_SQL_VARCHAR value=DataTrack_Block cfprocresult name = nextval /cfstoredproc Now if I try to use CFDump to dump the results set nextval it indicates the variable does not exist. What is it I am missing? It has ot be something I can say DOH about. ~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293036 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: CFStoredProc
I am calling a SP (SQL Server 2005) using the CFStoredProc function and to get the result set returned as nextval. Basically it should return an interget value. ... What is it I am missing? Without seeing the SP code, who can say? My guess is that your SP is returning an output parameter, rather than SELECTing a recordset. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293038 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFStoredProc
It looks like you are missing the DBVAR name. cfstoredproc datasource=#application.datasource# procedure=usp_select_nextval cfprocparam type=In cfsqltype=CF_SQL_VARCHAR value=DataTrack_Block dbvarname=insertfieldnamehere cfprocresult name = nextval /cfstoredproc CF Developer wrote: This should have been simple as making a PBJ. I am calling a SP (SQL Server 2005) using the CFStoredProc function and to get the result set returned as nextval. Basically it should return an interget value. cfstoredproc datasource=#application.datasource# procedure=usp_select_nextval cfprocparam type=In cfsqltype=CF_SQL_VARCHAR value=DataTrack_Block cfprocresult name = nextval /cfstoredproc Now if I try to use CFDump to dump the results set nextval it indicates the variable does not exist. What is it I am missing? It has ot be something I can say DOH about. ~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293041 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFStoredProc
cfprocresult is for returning a query result set. If you're not returning query, then you should use: cfprocparam type=OUT cfsqltype=CF_SQL_INTEGER variable=nextval CF Developer wrote: This should have been simple as making a PBJ. I am calling a SP (SQL Server 2005) using the CFStoredProc function and to get the result set returned as nextval. Basically it should return an interget value. cfstoredproc datasource=#application.datasource# procedure=usp_select_nextval cfprocparam type=In cfsqltype=CF_SQL_VARCHAR value=DataTrack_Block cfprocresult name = nextval /cfstoredproc Now if I try to use CFDump to dump the results set nextval it indicates the variable does not exist. What is it I am missing? It has ot be something I can say DOH about. ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293042 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFStoredProc
The storedProc only returns a single interget value not a database object or field. It runs a Query, gets a value, increments the value, updates the table and returns the new calculated value. such as: database table as a field called: thisVal and that field is set to 1 It will increment it to 2, updates the table and set to return 2 as: return @nextVal I thought the dbvarname is used to specify the FIELD that you would want to be returned. From: Bruce Sorge [EMAIL PROTECTED] Sent: Friday, November 09, 2007 8:24 AM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: CFStoredProc It looks like you are missing the DBVAR name. CF Developer wrote: This should have been simple as making a PBJ. I am calling a SP (SQL Server 2005) using the CFStoredProc function and to get the result set returned as nextval. Basically it should return an interget value. Now if I try to use CFDump to dump the results set nextval it indicates the variable does not exist. What is it I am missing? It has ot be something I can say DOH about. ~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finderproductID=1522loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293043 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFStoredProc
cfstoredproc.statuscode -Original Message- From: CF Developer [mailto:[EMAIL PROTECTED] Sent: Friday, November 09, 2007 10:40 AM To: CF-Talk Subject: Re: CFStoredProc The storedProc only returns a single interget value not a database object or field. It runs a Query, gets a value, increments the value, updates the table and returns the new calculated value. such as: database table as a field called: thisVal and that field is set to 1 It will increment it to 2, updates the table and set to return 2 as: return @nextVal I thought the dbvarname is used to specify the FIELD that you would want to be returned. From: Bruce Sorge [EMAIL PROTECTED] Sent: Friday, November 09, 2007 8:24 AM To: CF-Talk cf-talk@houseoffusion.com Subject: Re: CFStoredProc It looks like you are missing the DBVAR name. CF Developer wrote: This should have been simple as making a PBJ. I am calling a SP (SQL Server 2005) using the CFStoredProc function and to get the result set returned as nextval. Basically it should return an interget value. Now if I try to use CFDump to dump the results set nextval it indicates the variable does not exist. What is it I am missing? It has ot be something I can say DOH about. ~| Download the latest ColdFusion 8 utilities including Report Builder, plug-ins for Eclipse and Dreamweaver updates. http;//www.adobe.com/cfusion/entitlement/index.cfm?e=labs%5adobecf8%5Fbeta Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293046 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFStoredProc
If you arent returning a result set then you should use a procparam with type=out. -- Gary Gilbert http://www.garyrgilbert.com/blog ~| ColdFusion is delivering applications solutions at at top companies around the world in government. Find out how and where now http://www.adobe.com/cfusion/showcase/index.cfm?event=finderproductID=1522loc=en_us Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293045 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFStoredProc
You are right. I misread your issue. Since you are only wanting an output variable, you need to change the type to OUT and use the Variable attribute. cfprocparam cfsqltype=CF_SQL_INTEGER variable=nextval type=OUT CF Developer wrote: The storedProc only returns a single interget value not a database object or field. It runs a Query, gets a value, increments the value, updates the table and returns the new calculated value. such as: database table as a field called: thisVal and that field is set to 1 It will increment it to 2, updates the table and set to return 2 as: return @nextVal I thought the dbvarname is used to specify the FIELD that you would want to be returned. ~| Create robust enterprise, web RIAs. Upgrade to ColdFusion 8 and integrate with Adobe Flex http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJP Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:293044 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
CFStoredProc out variable
Hi, i have the following code to call a stored procedure which is stored in mysql. cfstoredproc procedure=addOneToOneChildFolder datasource=portdb cfprocparam type=in cfsqltype=cf_sql_varchar value=#url.OneToOneFolder# null=no cfprocparam type=in cfsqltype=cf_sql_bigint value=1 null=no cfprocparam type=out cfsqltype=cf_sql_boolean value=@queryResult /cfstoredproc cfquery name=checkOneToOneFolderAdded datasource=portdb SELECT @queryResult; /cfquery i have followed the instructions on mysql and the stored procedure works fine if i pass in the out as @queryResult. in mysql when i run SELECT @queryResult; it gives me back a value. however when i run it through coldfusion and do a cfdump of the checkOneToOneFolderAdded query it tells me that it is an empty string. i would appreciate any help you can give me on this, or any other way to reference an out variable, thanks very much thanks very much richard ~| Check out the new features and enhancements in the latest product release - download the What's New PDF now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:290358 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFStoredProc out variable
Hi Eric, thanks for your reply I did what you said but it is saying that queryResult is undefined the code i used was cfstoredproc procedure=addOneToOneChildFolder datasource=portexdb cfprocparam type=in cfsqltype=cf_sql_varchar value=Hello null=no cfprocparam type=in cfsqltype=cf_sql_bigint value=1 null=no cfprocparam type=out cfsqltype=cf_sql_boolean value=queryResult /cfstoredproc cfoutput#queryResult#/cfoutput and the mySQL procedure is as follows: thanks again for your help CREATE PROCEDURE portexdb.addOneToOneChildFolder(IN folderNameIn VARCHAR(50), IN parentFolderIDIn BIGINT(20), OUT queryResult BOOLEAN) BEGIN DECLARE lastInsertedTableID BIGINT(20); DECLARE lastInsertedTableName VARCHAR(50); SET AUTOCOMMIT=0; INSERT into tables VALUES (null, folderNameIn); SELECT MAX(tableID) into lastInsertedTableID FROM tables; SELECT tableName into lastInsertedTableName FROM tables where tableID = lastInsertedTableID; IF lastInsertedTableName = folderNameIn THEN INSERT into tableChildren VALUES (parentFolderIDIn, lastInsertedTableID, 0); COMMIT; SET AUTOCOMMIT=1; SET queryResult = TRUE; Else ROLLBACK; SET AUTOCOMMIT=1; SET queryResult = FALSE; END IF; END // ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:290371 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: CFStoredProc out variable
CF returns the value of the OUT variable as a regular variable, just like you created it with cfset for example. Try this: cfstoredproc procedure=addOneToOneChildFolder datasource=portdb cfprocparam type=in cfsqltype=cf_sql_varchar value=#url.OneToOneFolder# null=no cfprocparam type=in cfsqltype=cf_sql_bigint value=1 null=no cfprocparam type=out cfsqltype=cf_sql_boolean value=queryResult /cfstoredproc cfoutput#queryResult #/cfoutput You'll notice that I removed the @ from your variable name. You can name the OUT variable whatever you want, regardless of what it's called in the database. Richard White wrote: Hi, i have the following code to call a stored procedure which is stored in mysql. cfstoredproc procedure=addOneToOneChildFolder datasource=portdb cfprocparam type=in cfsqltype=cf_sql_varchar value=#url.OneToOneFolder# null=no cfprocparam type=in cfsqltype=cf_sql_bigint value=1 null=no cfprocparam type=out cfsqltype=cf_sql_boolean value=@queryResult /cfstoredproc cfquery name=checkOneToOneFolderAdded datasource=portdb SELECT @queryResult; /cfquery i have followed the instructions on mysql and the stored procedure works fine if i pass in the out as @queryResult. in mysql when i run SELECT @queryResult; it gives me back a value. however when i run it through coldfusion and do a cfdump of the checkOneToOneFolderAdded query it tells me that it is an empty string. i would appreciate any help you can give me on this, or any other way to reference an out variable, thanks very much thanks very much richard ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:290368 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: CFStoredProc out variable
Hi, i have the following code to call a stored procedure which is stored in mysql. cfstoredproc procedure=addOneToOneChildFolder datasource=portdb cfprocparam type=in cfsqltype=cf_sql_varchar value=#url.OneToOneFolder# null=no cfprocparam type=in cfsqltype=cf_sql_bigint value=1 null=no cfprocparam type=out cfsqltype=cf_sql_boolean value=@queryResult /cfstoredproc cfquery name=checkOneToOneFolderAdded datasource=portdb SELECT @queryResult; /cfquery i have followed the instructions on mysql and the stored procedure works fine if i pass in the out as @queryResult. in mysql when i run SELECT @queryResult; it gives me back a value. however when i run it through coldfusion and do a cfdump of the checkOneToOneFolderAdded query it tells me that it is an empty string. You can reference the OUT parameter directly: http://livedocs.adobe.com/coldfusion/7/htmldocs/0313.htm You will need to add a VARIABLE attribute to your CFPROCPARAM TYPE=OUT, and remove the VALUE attribute, which is only useful with IN/INOUT parameters.. You won't need a separate query. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:290377 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: CFStoredProc out variable
Thanks Dave your a superstar!!! I changed the value to variable and it worked fine :) Thanks again ~| Check out the new features and enhancements in the latest product release - download the What's New PDF now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:290381 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Cfstoredproc message
In a nutshell, you don't as you should always have a no count at the top of the SP anyway. You can certainly return a variable of your choosing etc by using custom return codes - which may, or may not be as detailed as you want. This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Richard Meredith-Hardy To: CF-Talk Sent: Wed Feb 28 04:58:19 2007 Subject: RE: Cfstoredproc message I suppose it's really a mssql question of trapping the generated message(s) and putting them in a var which can be returned to CF. How to do it though? -Original Message- From: Dinner [mailto:[EMAIL PROTECTED] Sent: 28 February 2007 00:38 To: CF-Talk Subject: Re: Cfstoredproc message If you use java DB stuff, I assume it would be available... Probably not from the built in CF DB stuff tho. :-/ On 2/27/07, Richard Meredith-Hardy [EMAIL PROTECTED] wrote: Not quite what I'm looking for, I think. This is actually a sp which contains a RESTORE DATABASE command and I'm interested to capture the stuff which goes into messages like: Processed 10240 pages for database 'xx', file 'xxx' on file 1. Processed 1 pages for database 'x', file 'xx_log' on file 1. RESTORE DATABASE successfully processed 10241 pages in 11.732 seconds (7.150 MB/sec). How do I capture that? ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270921 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Cfstoredproc message
I suppose it's really a mssql question of trapping the generated message(s) and putting them in a var which can be returned to CF. How to do it though? There may be better alternatives but two possibilities are - capture the warnings using java/jdbc as Dinner suggested - create a stored procedure that uses xp_cmdshell and sqlcmd/osql (sql 2005/2000) to capture the messages and return them to cfstoredproc Then parse the output messages Janet ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:271054 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Cfstoredproc message
Not quite what I'm looking for, I think. This is actually a sp which contains a RESTORE DATABASE command and I'm interested to capture the stuff which goes into messages like: Processed 10240 pages for database 'xx', file 'xxx' on file 1. Processed 1 pages for database 'x', file 'xx_log' on file 1. RESTORE DATABASE successfully processed 10241 pages in 11.732 seconds (7.150 MB/sec). How do I capture that? -Original Message- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: 27 February 2007 07:45 To: CF-Talk Subject: Re: Cfstoredproc message Well if it is success or not then you just use the return codes. If you want a specific user defined message you will have to select it into a var and return it as an OUT or as a resultset. This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Richard Meredith-Hardy To: CF-Talk Sent: Tue Feb 27 06:45:39 2007 Subject: Cfstoredproc message Simple question, I hope How does one get back to CF the message a stored proc normally puts in the messages window when you run it in SQL Server management studio or enterprise manager? Thanks in advance Richard (I've hunted around but difficult to search for the word 'message'...) ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270748 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Cfstoredproc message
If you use java DB stuff, I assume it would be available... Probably not from the built in CF DB stuff tho. :-/ On 2/27/07, Richard Meredith-Hardy [EMAIL PROTECTED] wrote: Not quite what I'm looking for, I think. This is actually a sp which contains a RESTORE DATABASE command and I'm interested to capture the stuff which goes into messages like: Processed 10240 pages for database 'xx', file 'xxx' on file 1. Processed 1 pages for database 'x', file 'xx_log' on file 1. RESTORE DATABASE successfully processed 10241 pages in 11.732 seconds (7.150 MB/sec). How do I capture that? ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270897 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Cfstoredproc message
I suppose it's really a mssql question of trapping the generated message(s) and putting them in a var which can be returned to CF. How to do it though? -Original Message- From: Dinner [mailto:[EMAIL PROTECTED] Sent: 28 February 2007 00:38 To: CF-Talk Subject: Re: Cfstoredproc message If you use java DB stuff, I assume it would be available... Probably not from the built in CF DB stuff tho. :-/ On 2/27/07, Richard Meredith-Hardy [EMAIL PROTECTED] wrote: Not quite what I'm looking for, I think. This is actually a sp which contains a RESTORE DATABASE command and I'm interested to capture the stuff which goes into messages like: Processed 10240 pages for database 'xx', file 'xxx' on file 1. Processed 1 pages for database 'x', file 'xx_log' on file 1. RESTORE DATABASE successfully processed 10241 pages in 11.732 seconds (7.150 MB/sec). How do I capture that? ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270918 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Cfstoredproc message
Simple question, I hope How does one get back to CF the message a stored proc normally puts in the messages window when you run it in SQL Server management studio or enterprise manager? Thanks in advance Richard (I've hunted around but difficult to search for the word 'message'...) ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270739 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Cfstoredproc message
Well if it is success or not then you just use the return codes. If you want a specific user defined message you will have to select it into a var and return it as an OUT or as a resultset. This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Richard Meredith-Hardy To: CF-Talk Sent: Tue Feb 27 06:45:39 2007 Subject: Cfstoredproc message Simple question, I hope How does one get back to CF the message a stored proc normally puts in the messages window when you run it in SQL Server management studio or enterprise manager? Thanks in advance Richard (I've hunted around but difficult to search for the word 'message'...) ~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 Flex 2. Free Trial http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270740 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: cfstoredproc vs cfquery
I also don't know of any overhead... This e-mail is from Reed Exhibitions (Gateway House, 28 The Quadrant, Richmond, Surrey, TW9 1DN, United Kingdom), a division of Reed Business, Registered in England, Number 678540. It contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have received this communication in error please return it to the sender or call our switchboard on +44 (0) 20 89107910. The opinions expressed within this communication are not necessarily those expressed by Reed Exhibitions. Visit our website at http://www.reedexpo.com -Original Message- From: Dave Watts To: CF-Talk Sent: Sat Feb 24 22:46:09 2007 Subject: RE: cfstoredproc vs cfquery Thanks for your input, Dave. My concern is the processing overhead that is incurred by using CFSTOREDPROC. Do you know of any way to access multiple recordsets in CFQUERY? As it stands now, CFQUERY only returns the 1st recordset while ignoring the rest. The ability to pull multiple recordsets, in my opinion, is the only advantage to CFSTOREDPROC. I don't know that there's any significant processing overhead specific to CFSTOREDPROC. I don't know of a way to return multiple recordsets with CFQUERY, and I don't think it's possible. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270642 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: cfstoredproc vs cfquery
Thanks for your input, Dave. My concern is the processing overhead that is incurred by using CFSTOREDPROC. Do you know of any way to access multiple recordsets in CFQUERY? As it stands now, CFQUERY only returns the 1st recordset while ignoring the rest. The ability to pull multiple recordsets, in my opinion, is the only advantage to CFSTOREDPROC. I don't know that there's any significant processing overhead specific to CFSTOREDPROC. I don't know of a way to return multiple recordsets with CFQUERY, and I don't think it's possible. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| ColdFusion MX7 by Adobe® Dyncamically transform webcontent into Adobe PDF with new ColdFusion MX7. Free Trial. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270623 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: cfstoredproc vs cfquery
Thanks for your input, Dave. My concern is the processing overhead that is incurred by using CFSTOREDPROC. Do you know of any way to access multiple recordsets in CFQUERY? As it stands now, CFQUERY only returns the 1st recordset while ignoring the rest. The ability to pull multiple recordsets, in my opinion, is the only advantage to CFSTOREDPROC. Jim Anyone know if there is an advantage either way when it comes to calling a stored procedure? In the example you provided, there's no difference, but stored procedures can be much more complex than a single SQL statement. Stored procedures can return multiple recordsets, they can accept and return parameters. The CFSTOREDPROC tag allows for all that. Also, you can't use CFQUERY on all platforms to execute stored procedures, as I recall. But if you don't have any of these issues there's nothing wrong with using CFQUERY instead, and there are some advantages, such as the ability to use CACHEDWITHIN/CACHEDAFTER. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270618 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
cfstoredproc vs cfquery
Anyone know if there is an advantage either way when it comes to calling a stored procedure? Say I have a storedproc called GetAllResults. I can call it 2 ways. cfquery name=myquery datasource=mydatasource Execute GetAllResults /cfquery cfdump var=#myQuery# / Or cfstoredproc datasource=mydatasource procedure=GetAllResults cfprocresult name=myquery / /cfstoredproc cfdump var=#myQuery# / CFquery seems to be faster to me. I just wondered what everyone else thought about it and if there was an advantage or disadvantage either way that I dont know about. Oh, I also thought it was funny that cfquery was only faster than cfstoredproc when cfquery was NOT cached odd. ..:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield ColdFusion Application Developer HYPERLINK http://acoderslife.comhttp://acoderslife.com -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.441 / Virus Database: 268.18.3/697 - Release Date: 2/22/2007 11:55 AM ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270462 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfstoredproc vs cfquery
The only one I can think of, but then I don't use SP's very often; IIRC is that the cfstoredProc tag can handle more complex procedures. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Sudoku | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270463 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfstoredproc vs cfquery
None come to mind that can't be executed via cfquery. What do you mean by more complex? -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.441 / Virus Database: 268.18.3/697 - Release Date: 2/22/2007 11:55 AM ~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 MX7 integration create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: cfstoredproc vs cfquery
cfstoredproc will allow you to get back multiple resultsets. If you've got the latest updates (and the release notes are correct), they've finally fixed the 'annoymous' resultset issue, allowing un-numbered cfprocresults. -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Thursday, February 22, 2007 11:31 AM To: CF-Talk Subject: RE: cfstoredproc vs cfquery None come to mind that can't be executed via cfquery. What do you mean by more complex? -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.441 / Virus Database: 268.18.3/697 - Release Date: 2/22/2007 11:55 AM ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270469 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4