[cfaussie] Site Wide Error Template - SQL?
Hi, Enable robust exception information is checked in CF admin. So I guss it does not make a difference. [EMAIL PROTECTED] 30/03/2006 5:32 pm Scott, does the amount of information available to the site-wide template change when check/uncheck the Enable Robust Exception Information in the Debugging Logging Debugging Settings of CF admin? Cheers Gav On 3/30/06, Joel Cass [EMAIL PROTECTED] wrote: This seems to work for me: cfif isDefined(error.rootCause.SQL) SQL: #error.rootCause.SQL#br cfelseif structKeyExists(error.rootCause.tagContext[1],SQL) SQL: #error.rootCause.tagContext[1].SQL#br /cfif You may not need to use the whole thing. The template has been made to run on a few different versions of CF since 4.5 :) Joel -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] Behalf Of Scott Thornton Sent: Thursday, 30 March 2006 1:30 PM To: cfaussie@googlegroups.com Subject: [cfaussie] Site Wide Error Template - SQL? Hi, The default coldfusion error page includes the SQL of a query if the error is query related. Using the site site wide error template, is it possible to get hold of and display this sql? Using cfdump var=#error# label=error structure, there is no sql displayed, and only the error.diagnostic field contains useful information... -- www.gavcooney.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie -~--~~~~--~~--~--~---
[cfaussie] Site Wide Error Template - SQL?
Thanks, will give your advice a go shortly [EMAIL PROTECTED] 30/03/2006 6:29 pm This seems to work for me: cfif isDefined(error.rootCause.SQL) SQL: #error.rootCause.SQL#br cfelseif structKeyExists(error.rootCause.tagContext[1],SQL) SQL: #error.rootCause.tagContext[1].SQL#br /cfif You may not need to use the whole thing. The template has been made to run on a few different versions of CF since 4.5 :) Joel -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] Behalf Of Scott Thornton Sent: Thursday, 30 March 2006 1:30 PM To: cfaussie@googlegroups.com Subject: [cfaussie] Site Wide Error Template - SQL? Hi, The default coldfusion error page includes the SQL of a query if the error is query related. Using the site site wide error template, is it possible to get hold of and display this sql? Using cfdump var=#error# label=error structure, there is no sql displayed, and only the error.diagnostic field contains useful information... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups cfaussie group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie -~--~~~~--~~--~--~---
[cfaussie] tvguide.com.au
Crash, bang, boom of a CF site. I wonder what kind of traffic they get? Might be some job opps opening up or maybe just some hosting opportunities maybe? ;) Chad - The web site you are accessing has experienced an unexpected error. Please contact the website administrator. The following information is meant for the website developer for debugging purposes. Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQLselect person_id, password from users.dbo.person where person_id = 2617356 DATASOURCEhww_sql VENDORERRORCODE 942 SQLSTATE HY000 Resources: * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax) Remote Address 58.104.59.236 Referrer Date/Time 31-Mar-06 02:01 PM Stack Trace at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) at coldfusion.sql.Executive.executeQuery(Executive.java:719) at coldfusion.sql.Executive.executeQuery(Executive.java:652) at coldfusion.sql.Executive.executeQuery(Executive.java:613) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:210) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:115) at coldfusion.CfmServlet.service(CfmServlet.java:107) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at com.seefusion.Filter.doFilter(Filter.java) at com.seefusion.SeeFusion.doFilter(SeeFusion.java) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:318) at
[cfaussie] Re: tvguide.com.au
Dam, That really looks open to SQL Injection, someone should let them know. Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Chad Renando Sent: Friday, 31 March 2006 14:06 PM To: cfaussie@googlegroups.com Subject: [cfaussie] tvguide.com.au Crash, bang, boom of a CF site. I wonder what kind of traffic they get? Might be some job opps opening up or maybe just some hosting opportunities maybe? ;) Chad -- --- The web site you are accessing has experienced an unexpected error. Please contact the website administrator. The following information is meant for the website developer for debugging purposes. Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQL select person_id, password from users.dbo.person where person_id = 2617356 DATASOURCE hww_sql VENDORERRORCODE 942 SQLSTATEHY000 Resources: * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax) Remote Address58.104.59.236 Referrer Date/Time 31-Mar-06 02:01 PM Stack Trace at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) at coldfusion.sql.Executive.executeQuery(Executive.java:719) at coldfusion.sql.Executive.executeQuery(Executive.java:652) at coldfusion.sql.Executive.executeQuery(Executive.java:613) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:210) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersisten ceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java: 115) at coldfusion.CfmServlet.service(CfmServlet.java:107) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at com.seefusion.Filter.doFilter(Filter.java) at com.seefusion.SeeFusion.doFilter(SeeFusion.java) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at
[cfaussie] sql injection was: tvguide.com.au
Just curious, not knowing much about sql injection... Wouldn't the 'val()' function be sufficient protection in this case? Presuming that the sql that was trying to be 'injected' was stored in cookie.person_id then the val() function will effectively nullify it by returning zero... No? ps. apologies for highjacking the thread... Cheers, Brett B) Dale Fraser wrote: Dam, That really looks open to SQL Injection, someone should let them know. Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Chad Renando Sent: Friday, 31 March 2006 14:06 PM To: cfaussie@googlegroups.com Subject: [cfaussie] tvguide.com.au Crash, bang, boom of a CF site. I wonder what kind of traffic they get? Might be some job opps opening up or maybe just some hosting opportunities maybe? ;) Chad -- --- The web site you are accessing has experienced an unexpected error. Please contact the website administrator. The following information is meant for the website developer for debugging purposes. Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQL select person_id, password from users.dbo.person where person_id = 2617356 DATASOURCE hww_sql VENDORERRORCODE 942 SQLSTATEHY000 Resources: * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax) Remote Address58.104.59.236 Referrer Date/Time 31-Mar-06 02:01 PM Stack Trace at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) at coldfusion.sql.Executive.executeQuery(Executive.java:719) at coldfusion.sql.Executive.executeQuery(Executive.java:652) at coldfusion.sql.Executive.executeQuery(Executive.java:613) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152) at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349) at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:210) at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69) at coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersisten ceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java: 115) at coldfusion.CfmServlet.service(CfmServlet.java:107) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at com.seefusion.Filter.doFilter(Filter.java) at com.seefusion.SeeFusion.doFilter(SeeFusion.java) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
[cfaussie] Re: sql injection was: tvguide.com.au
Yes, You are correct, but there will be other queries on the page, I'm sure. What you need for SQL injection, a table name: users.dbo.person So the error gives all that and more, so if there is another keyword search page or similar, without vals or cfqueryparams away you go. Moral of the story, is debugging shouldn't be on in production and we would have never known the table name. Or at least the errors should be caught. Regards Dale Fraser Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQL select person_id, password from users.dbo.person where person_id = 2617356 Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Brett Payne-Rhodes Sent: Friday, 31 March 2006 14:34 PM To: cfaussie@googlegroups.com Subject: [cfaussie] sql injection was: tvguide.com.au Just curious, not knowing much about sql injection... Wouldn't the 'val()' function be sufficient protection in this case? Presuming that the sql that was trying to be 'injected' was stored in cookie.person_id then the val() function will effectively nullify it by returning zero... No? ps. apologies for highjacking the thread... Cheers, Brett B) Dale Fraser wrote: Dam, That really looks open to SQL Injection, someone should let them know. Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Chad Renando Sent: Friday, 31 March 2006 14:06 PM To: cfaussie@googlegroups.com Subject: [cfaussie] tvguide.com.au Crash, bang, boom of a CF site. I wonder what kind of traffic they get? Might be some job opps opening up or maybe just some hosting opportunities maybe? ;) Chad -- --- The web site you are accessing has experienced an unexpected error. Please contact the website administrator. The following information is meant for the website developer for debugging purposes. Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQLselect person_id, password from users.dbo.person where person_id = 2617356 DATASOURCEhww_sql VENDORERRORCODE 942 SQLSTATE HY000 Resources: * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax) Remote Address 58.104.59.236 Referrer Date/Time 31-Mar-06 02:01 PM Stack Trace at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkno wn Source) at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) at coldfusion.sql.Executive.executeQuery(Executive.java:719) at coldfusion.sql.Executive.executeQuery(Executive.java:652) at coldfusion.sql.Executive.executeQuery(Executive.java:613) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at
[cfaussie] sql injection was: tvguide.com.au
not debugging, more 'Enable Robust Exception Information' is checked. [EMAIL PROTECTED] 31/03/2006 3:01:00 pm Yes, You are correct, but there will be other queries on the page, I'm sure. What you need for SQL injection, a table name: users.dbo.person So the error gives all that and more, so if there is another keyword search page or similar, without vals or cfqueryparams away you go. Moral of the story, is debugging shouldn't be on in production and we would have never known the table name. Or at least the errors should be caught. Regards Dale Fraser Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQL select person_id, password from users.dbo.person where person_id = 2617356 Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Brett Payne-Rhodes Sent: Friday, 31 March 2006 14:34 PM To: cfaussie@googlegroups.com Subject: [cfaussie] sql injection was: tvguide.com.au Just curious, not knowing much about sql injection... Wouldn't the 'val()' function be sufficient protection in this case? Presuming that the sql that was trying to be 'injected' was stored in cookie.person_id then the val() function will effectively nullify it by returning zero... No? ps. apologies for highjacking the thread... Cheers, Brett B) Dale Fraser wrote: Dam, That really looks open to SQL Injection, someone should let them know. Regards Dale Fraser -Original Message- From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On Behalf Of Chad Renando Sent: Friday, 31 March 2006 14:06 PM To: cfaussie@googlegroups.com Subject: [cfaussie] tvguide.com.au Crash, bang, boom of a CF site. I wonder what kind of traffic they get? Might be some job opps opening up or maybe just some hosting opportunities maybe? ;) Chad -- --- The web site you are accessing has experienced an unexpected error. Please contact the website administrator. The following information is meant for the website developer for debugging purposes. Error Occurred While Processing Request Error Executing Database Query. [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. The error occurred in D:\web\tvguide.com.au\index.cfm: line 32 30 : select person_id, password 31 : from users.dbo.person 32 : where person_id = #Val(cookie.person_id)# 33 : /cfquery 34 : SQLselect person_id, password from users.dbo.person where person_id = 2617356 DATASOURCEhww_sql VENDORERRORCODE 942 SQLSTATE HY000 Resources: * Check the ColdFusion documentation to verify that you are using the correct syntax. * Search the Knowledge Base to find a solution to your problem. Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.9) Gecko/20050711 Firefox/1.0.5 (ax) Remote Address 58.104.59.236 Referrer Date/Time 31-Mar-06 02:01 PM Stack Trace at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) at cfindex2ecfm1650242660.runPage(D:\web\tvguide.com.au\index.cfm:32) java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Database 'users' cannot be opened because it is offline. at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown Source) at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown Source) at macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unkno wn Source) at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown Source) at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) at coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) at coldfusion.sql.Executive.executeQuery(Executive.java:719) at coldfusion.sql.Executive.executeQuery(Executive.java:652) at coldfusion.sql.Executive.executeQuery(Executive.java:613) at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:499) at