7 Replies Latest reply on Dec 5, 2013 12:25 PM by Sahben1

    Executing coldfusion code contained in an SQL record.

    Sahben1

      Hi everyone,

       

      I have coldfusion code saved in a database record. When i run a query it shows me the content of the database records but it doesn't execute it .. is there any issue to execute the query result  ?

       

      Thanks

        • 1. Re: Executing coldfusion code contained in an SQL record.
          Aegis Kleais Level 3

          The data coming back as a string may be able to be evaluated, ie:

           

          <cfoutput>

               <cfset dataReturnedFromDBAsString = '<cfif 1 eq 1>Tada</cfif>' />

               #evaluate( de( dataResturnedFromDBAsString ) )#

          </cfoutput>

          • 2. Re: Executing coldfusion code contained in an SQL record.
            Sahben1 Level 1

            Thanks! but your code as it is , is not working .. I'am using coldfusion 9 .. and need something working with coldfusion 8 as well :/

             

            • 3. Re: Executing coldfusion code contained in an SQL record.
              Steve Sommers Level 4

              I don't think you need the de() wrapper.

               

              Myself, I would reevaluate this logic entirely as it looks very suseptible to abuse (meaning, a hacker could do serious damage if you're not VERY careful).

              • 4. Re: Executing coldfusion code contained in an SQL record.
                Aegis Kleais Level 3

                @Steve-

                 

                I agree with how bad a practice this is, however, you do need the de(), otherwise you'll get an error along the lines of: Invalid CFML Construct on the first '<' character.

                 

                @Sahben1-

                 

                I had a typo on the second line where the variable name did not match, but de() and evaluate() exist in CF9.  You may want to provide more information that whether it worked or not. 

                 

                I am reminded of this phone call I had with a user:

                 

                User: "Is the Internet down."

                Me: "No, I can access it just fine.  What's wrong?"

                User: "The Internet isn't working."

                Me: "How is it not working?"

                User: "I get an error message."

                Me: "What does the error message say?"

                User: "I don't have it on my screen now."

                Me: "Please go to the Internet and provide me the error message."

                User: "Welcome to the Intranet, please enter your username and password."

                Me: "OK, that's not the Internet, that's our Intranet.  And that is not an error message, it requires you logging into it in order to access it."

                User: "Well I put my username and password in."

                Me: "And what happened?"

                User: "It didn't work."

                Me: "HOW did it not work?  Did it prompt you for the username and password again?  Did it give you an error message?"

                User: "It gave me an error message."

                Me: "WHAT did the error message say?!"

                User: "It says 'Your password has expired, please click the link to reset it."

                Me: "Did you click the link?"

                User: "No, I wanted to call you first to make sure the Internet wasn't down because of all these errors."

                Me: "...INTRANET.  And these are not errors.  So far they were isntructions that you refused to perform at each step."

                User: "It's not my job to fix these errors!"

                Me: "...."

                 

                [phone call disconnected.]

                • 5. Re: Executing coldfusion code contained in an SQL record.
                  Sahben1 Level 1

                  Haha Aegis !

                   

                  I know that variable names are not the same..

                  Actually I already tried that before.

                  I will explain more:

                   

                  here what I have in my database record  :

                   

                  <cfif 1 eq 1> ce poste nécessite un niveau linguistique : #employee_security_level# <cfelse> salut </cfif> .

                   

                  and here's my code :

                   

                  <cfset "employee_security_level" = "fiabilité">

                   

                   

                  <cfquery name = "getContenu" datasource="myDatabaseTest">

                            select content_fre as contenu from Paragraph

                  </cfquery>

                  <cfoutput query = "getContenu">

                   

                   

                            <cfset dataReturnedFromDBAsString = '#contenu#' />

                       #evaluate( de( '#contenu#' ) )#

                   

                            </cfoutput>

                   

                  Coldfusion repolace #employee_security_level# by its setted value . But it does't execute the cfif - cfelse .

                   

                  Here's the output of my page :

                   

                   

                  Ce poste nécessite un niveau linguistique : fiabilité salut .

                   

                  ************************

                  I should use virtual files, but it's not working with Coldfusion 8, that's why i am triying to find another issue .. My app will be on my Intranet, so don't need to be too much secure.

                   

                  Thanks guys 

                  • 6. Re: Executing coldfusion code contained in an SQL record.
                    Aegis Kleais Level 3

                    OK, I got you.  Well, the only solution I can think of is taking your code and writing it to a file on the fly, and then including that file subsequently.  ie:

                     

                    <cfoutput>

                     

                         <!--- Set a dynamic variable here. --->

                         <cfset name = "Aegis" />

                     

                         <!--- Set a variable which will actually be the CF code pulled from the DB. --->

                         <cfset codeFromDB = '<cfif 1 eq 1>Hello #name#<cfelse>Who are you?</cfif>' />

                     

                         <!--- Write this code to a file. --->

                         <cfset fileWrite( expandPath( './code.cfm', codeFromDB ) />

                     

                         <!--- Include the written file to execute the code dynamically. --->

                         <cfinclude template="code.cfm" />

                     

                    </cfoutput>

                     

                    The above SHOULD output:

                     

                    Hello Aegis.

                     

                    That way it is executing not only the CF code, but also evaluating variable names.

                    • 7. Re: Executing coldfusion code contained in an SQL record.
                      Sahben1 Level 1

                      Thanks Aegis !

                       

                      I think it is the best way to execute queries result. and it's working !

                      I advice developpers to add the evaluation expression if they are assigning database content to a variable. Otherwise coldfusion will only execute the code but won't evaluate variables.

                       

                      i.e

                       

                      <cfset myContent = "">

                      <cfloop query = "myQuery">

                      <cfset myContent = myContent & #evaluate( de( '#content_fre#' ) )# & " ">

                      </cfloop>

                       

                      Thanks again ..