9 Replies Latest reply on Jul 24, 2006 8:03 AM by paross1

    query based on a test input box

    briankind
      query based on a test input box

      hi
      i have this html input box and i want to output a query based on what i put in the input box. what should i do now.

      thanks


      <form id="form1" name="form1" method="post" action="">
      <label>enter id <input type="text" name="textfield" />
      </label>
      </form>
        • 1. Re: query based on a test input box
          Level 7
          Read the documentation:
          http://livedocs.macromedia.com/coldfusion/7/htmldocs/00001252.htm

          page1.html
          ----------
          <form id="form1" name="form1" method="post" action="page2.cfm">
          <label>enter id <input type="text" name="textfield" />
          </label>
          </form>

          page2.cfm
          ---------
          <cfquery name="foo" datasource="bar">
          SELECT aField, bField, cField
          FROM aTable
          WHERE aField = <cfqueryParam value="#form.textfield#"
          cfsqltype="cf_sql_varchar">
          </cfquery>

          <cfoutput query="foo">
          #aField# #bField# #cField#
          </cfoutput>

          briankind wrote:
          > query based on a test input box
          >
          > hi
          > i have this html input box and i want to output a query based on what i put in
          > the input box. what should i do now.
          >
          > thanks
          >
          >
          > <form id="form1" name="form1" method="post" action="">
          > <label>enter id <input type="text" name="textfield" />
          > </label>
          > </form>
          >
          • 2. Re: query based on a test input box
            Level 7
            More simple to write

            <cfquery name="foo" datasource="bar">
            SELECT aField, bField, cField
            FROM aTable
            WHERE aField = '#form.textfield#'
            </cfquery>

            No????

            JiB�


            > <cfoutput query="foo">
            > #aField# #bField# #cField#
            > </cfoutput>

            • 3. Re: query based on a test input box
              drforbin1970 Level 1
              Be very, very careful when doing this. If you do not validate your input before passing to your SQL statement, someone could put malicious code in the input box and pass it along to your SQL statement.
              • 4. Re: query based on a test input box
                Level 7
                Yes it is more simple, but then it is also very simple for me, a
                malicious user of the form, to put SQL text into the form field that
                will then be run by the database server.

                If I put this into the input box: foobar'; DROP TABLE aTable; --

                You could be a very unhappy developer.

                Jib� wrote:
                > More simple to write
                >
                > <cfquery name="foo" datasource="bar">
                > SELECT aField, bField, cField
                > FROM aTable
                > WHERE aField = '#form.textfield#'
                > </cfquery>
                >
                > No????
                >
                > JiB�
                >
                >
                >> <cfoutput query="foo">
                >> #aField# #bField# #cField#
                >> </cfoutput>
                >
                • 5. Re: query based on a test input box
                  paross1 Level 2
                  Hey, you might as well live real dangerously. This will allow you to enter an entire query in a text box and submit it.

                  Phil
                  • 6. Re: query based on a test input box
                    briankind Level 1
                    live real dangerously. !

                    i dont get it . is this set of code suppose to be good or bad.
                    i dont mean to Hesitate on this but you wrote this part :live real dangerously. !
                    i just wanted to know if this is safe because i dont want to get fired for not being careful
                    thanks
                    • 7. Re: query based on a test input box
                      briankind Level 1
                      thanks
                      do not validate your input before passing to your SQL statement, ?
                      how do you validate.
                      the input will be a string /test just like 123-1234-oop-qa

                      any examples

                      also malicous . what do you mean?
                      and how can i prevent this?
                      • 8. Re: query based on a test input box
                        briankind Level 1
                        hi!
                        do i just inser this '#form.textfield#' just like that or is the form.textfield a different name.

                        thename of the field in the dataabse is an_number. do i have to declare a variable.
                        also form in form.textfield, is this exactly the same name?
                        how is this work
                        thanks again
                        • 9. query based on a test input box
                          paross1 Level 2
                          I posted this as an example of what can be done, and it should work as written. However, the "live dangerously" part is because using this template, as written, would allow anyone to execute ANY query in your database, including DELETE and UPDATE queries, without restriction. This is actualy a simplified form of the one that I actually developed for one of my applications, as that one actually has a login requirement and state management, etc. that I didn't include, in order to keep it simple. The one I posted is wide open , so use with caution.

                          Phil