The actual code that is causing the error would be helpful.
Ok, let me try to narrow it down, otherwise I'll be posting a colossal text dump. I can at least figure out of it's coming from the update query or the code itself.
Ok, this seems to be a JRun problem, because even if I submit my form to a blank page with no processing, I still get the error.
I tried it with this:
<form action="temp.cfm" method="post" name="test">
<p><label for="namefield">Name</label> <input type="text" name="namefield" id="namefield" size="30" /></p>
<input type="submit" name="submitform" value="Submit" />
And got the exact same error.
I think there is something else going on. Do you have some code doing any sort of processing on the URL or FORM scoped variables in your application.cfc or cfm page? Your test.cfm page above works fine for me on CF11 & 9.
Nothing really, and I even renamed my application.cfm file. I even tested it on localhost on my local machine in the CF Dev environment.
What I'm doing is this:
- Load the page.
- Open a Firefox addon called "Tamper Data". We've found this to pretty closely replicate the scanner that out security people use. If it passes this addon, it passes the scan, and vice versa.
- Click "Start Tamper".
- Type a number into the form field, then submit.
- When the addon asks, I edit that post field by adding &foo, then click submit.
That gives me the error.
Perhaps the addon/scanner are doing something behind the scenes that we don't know about?
Ah, that duplicated the issue for me. In CF9 I get the 500 error. In CF11 I get a 400 response with a description of "The request sent by the client was syntactically incorrect." Both are correct responses because the syntax is incorrect -- the & should be encoded as & if it is part of the field data value that it follows or foo must be followed by an = sign to delimit the field=value pair.
The scanner is probably complaining about the detail of the error message. All the root cause info sets scanners into a panic. I believe the URL and FORM field parsing is happening in the java runtime prior to coldfusion having control meaning prior to any cferror traps in application.cfc or .cfm files. You will most likely need to configure the java error handler to not display the details or execute your error template via a redirect. I've done this before but it's been a while and I do not remember off the top of my head how to do this. Google "coldfusion java error trap". Here is one reference for CF9 but remember CF10 and 11 uses Tomcat instead of JRun so the configuration might be slightly different: Handling 500 JRun servlet in ColdFusion - Stack Overflow
1 person found this helpful
Thanks Steve, that helps since we're using CF8, so the CF9 procedure will probably still work.