I'm stumped. This is an UPDATE query running on a CF8 server with an Access
backend. (This is before I started using cfqueryparam and I haven't had a
chance to update this code.) I've abbreviated the page.
cfparam name=FORM.DuesExpire default=
In the query: DuesExpire = cfif
Your year is 20141 that is close to twenty thousand years in the future.
-Original Message-
From: Stephens, Larry V [mailto:steph...@iu.edu]
Sent: Friday, September 06, 2013 8:33 AM
To: cf-talk
Subject: CreateODBCDate()
I'm stumped. This is an UPDATE query running on a CF8 server with
shouldn't it be 2014 not 20141 ?
On Fri, Sep 6, 2013 at 1:33 PM, Stephens, Larry V steph...@iu.edu wrote:
I'm stumped. This is an UPDATE query running on a CF8 server with an
Access backend. (This is before I started using cfqueryparam and I haven't
had a chance to update this code.) I've
Is anyone familiar with this code: http://pastebin.com/2v3PMx4M
We found this in one of our sites which has been getting hacked lately. We also
found a few other infected files which we've cleaned, but this on in particular
was somehow injected into one of our sites. Anyone know what this
this is the cfshell that was getting installed by the well known
cfadmin/adminapi hack.
So you must still your cfadmin or adminapi publicly accessible on that
server.
On Fri, Sep 6, 2013 at 2:32 PM, Robert Harrison
rob...@austin-williams.comwrote:
Is anyone familiar with this code:
Yes, it certainly can be used by hackers. It can be used to manipulate the
file system, upload files, execute exe's, and run database queries against
your datasources.
This file is most commonly found via the adminapi Hack widely exploited in
Dec/Jan 2012 (eg /CFIDE/h.cfm, etc), but I've also
shouldn't it be 2014 not 20141 ?
Your year is 20141 that is close to twenty thousand years in the future.
I know that - that's why I get the error on UPDATE. My question is has anyone
ever seen CreateODBCDate create something like this?
My point below is that if FORM had passed 04/30/20141
Are you sure that you aren't adding that twenty thousand years by accident?
It is for a dues expire, are you doing a + 1 to it? For example:
cfset Variables.mydate = '04/30/2014' /
cfset Variables.mydate = Variables.mydate + 1 /
Result in this case would be Variables.mydate = '04/40/20141'.
Thank You... that was useful. We have the server locked, but these files have
been here for some time. Now we have to scan everything for some of the strings
in the files.
Robert Harrison
Director of Interactive Services
Austin Williams
Advertising I Branding I Digital I Direct
125
In the query: DuesExpire = cfif len(FORM.DuesExpire) EQ
0NULLcfelse#CreateODBCDate(FORM.DuesExpire)#/cfif,
So I suppose you're using the variable DuesExpire in the SQL code.
In that case, since the ODBCDate contains single quotes, the pseudo function
Preserve single quotes should be used,
has anyone ever seen CreateODBCDate create something like this?
Yes. If you enter a numeric expression (or something that evaluates to a
number), rather than a date string, that could happen. For example:
createODBCDate(6662510)
But as mentioned, that is just guess without knowing more.
Dave I want to thank you for your help. I resolved the issue.
Because my Exchange server and CF server are on different machines I had to
create a new receive connector allowing relay from the IP address of my CF
server. Out of the box, Exchange doesn't allow any relay from a remote machine.
Have a great weekend.
You too!
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/
Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or
Here's the message it sent me:
Detail: [Macromedia][SequeLink
JDBC Driver][ODBC Socket][Microsoft][ODBC Microsoft Access Driver]
Syntax error (missing operator) in query expression 'd '20141-04-30'}'
It shows the query: ..., DuesExpire = {d '20141-04-30'}, ...
What is the complete error
On 9/6/2013 5:10 PM, Leigh wrote:
Here's the message it sent me:
Detail: [Macromedia][SequeLink
JDBC Driver][ODBC Socket][Microsoft][ODBC Microsoft Access Driver]
Syntax error (missing operator) in query expression 'd '20141-04-30'}'
It shows the query: ..., DuesExpire = {d
Is anyone familiar with this code: http://pastebin.com/2v3PMx4M
I googled the author's name. It's Too Simple File Manager ($15), but this
versions is outdated and has been modified to allow commandline execution and
SQL transactions:
http://www.cftagstore.com/?page=viewTagtagId=290
We had an exchange server once and it was a nightmare and the guy who was
supposed to manage it had clearly bitten off more thsn he could chew and
barely knew what he was doing and it was falling over all the time.
I spent a few days working on it and would have tore my hair out if if I
had any.
Access will not process 20141 as a valid year in a date field.
Yep, but if the error message is to be believed, it suggests a different
problem like an empty variable, bad quotes, etcetera. So I would be interested
in seeing the full error and sql.
-Leig
18 matches
Mail list logo
