query based on a test input box

Report · Jul 20, 2006

query based on a test input box

hi
i have this html input box and i want to output a query based on what i put in the input box. what should i do now.

thanks

<form id="form1" name="form1" method="post" action="">
<label>enter id <input type="text" name="textfield" />
</label>
</form>

Report · Jul 20, 2006

Read the documentation:
http://livedocs.macromedia.com/coldfusion/7/htmldocs/00001252.htm

page1.html
----------
<form id="form1" name="form1" method="post" action="page2.cfm">
<label>enter id <input type="text" name="textfield" />
</label>
</form>

page2.cfm
---------
<cfquery name="foo" datasource="bar">
SELECT aField, bField, cField
FROM aTable
WHERE aField = <cfqueryParam value="#form.textfield#"
cfsqltype="cf_sql_varchar">
</cfquery>

<cfoutput query="foo">
#aField# #bField# #cField#
</cfoutput>

briankind wrote:
> query based on a test input box
>
> hi
> i have this html input box and i want to output a query based on what i put in
> the input box. what should i do now.
>
> thanks
>
>
> <form id="form1" name="form1" method="post" action="">
> <label>enter id <input type="text" name="textfield" />
> </label>
> </form>
>

Report · Jul 21, 2006

More simple to write

<cfquery name="foo" datasource="bar">
SELECT aField, bField, cField
FROM aTable
WHERE aField = '#form.textfield#'
</cfquery>

No????

JiB�

> <cfoutput query="foo">
> #aField# #bField# #cField#
> </cfoutput>

Report · Jul 23, 2006

hi!
do i just inser this '#form.textfield#' just like that or is the form.textfield a different name.

thename of the field in the dataabse is an_number. do i have to declare a variable.
also form in form.textfield, is this exactly the same name?
how is this work
thanks again

Report · Jul 24, 2006

I posted this as an example of what can be done, and it should work as written. However, the "live dangerously" part is because using this template, as written, would allow anyone to execute ANY query in your database, including DELETE and UPDATE queries, without restriction. This is actualy a simplified form of the one that I actually developed for one of my applications, as that one actually has a login requirement and state management, etc. that I didn't include, in order to keep it simple. The one I posted is wide open , so use with caution.

Phil

Report · Jul 21, 2006

Be very, very careful when doing this. If you do not validate your input before passing to your SQL statement, someone could put malicious code in the input box and pass it along to your SQL statement.

Report · Jul 23, 2006

thanks
do not validate your input before passing to your SQL statement, ?
how do you validate.
the input will be a string /test just like 123-1234-oop-qa

any examples

also malicous . what do you mean?
and how can i prevent this?

Report · Jul 21, 2006

Yes it is more simple, but then it is also very simple for me, a
malicious user of the form, to put SQL text into the form field that
will then be run by the database server.

If I put this into the input box: foobar'; DROP TABLE aTable; --

You could be a very unhappy developer.

Jib� wrote:
> More simple to write
>
> <cfquery name="foo" datasource="bar">
> SELECT aField, bField, cField
> FROM aTable
> WHERE aField = '#form.textfield#'
> </cfquery>
>
> No????
>
> JiB�
>
>
>> <cfoutput query="foo">
>> #aField# #bField# #cField#
>> </cfoutput>
>

Report · Jul 21, 2006

Hey, you might as well live real dangerously. This will allow you to enter an entire query in a text box and submit it.

Phil

Report · Jul 23, 2006

live real dangerously. !

i dont get it . is this set of code suppose to be good or bad.
i dont mean to Hesitate on this but you wrote this part :live real dangerously. !
i just wanted to know if this is safe because i dont want to get fired for not being careful
thanks

Adobe Community

query based on a test input box

1 Correct answer