Known Participant

Question

Execute a query with a link

Forum|Forum|19 years ago
November 7, 2006
13 replies
1064 views

I need to execute a query with a link. For example, I am working on my picture gallery at www.truckerstoystore.net/gallery.cfm and would like to add a Popular Searches section where the user can click a link such as "Chevy" and a query called Chevy that outputs all pictures in the given table containing Chevy in any of the fields would display the pictures where the pictures display when you search. Can anyone help me?

My other idea was to try to figure out how to make a link that would specify search keywords to the existing PicSearch query.

If anyone would be so kind as to help me out, that would be awesome...I'm stumped! Here is the file I'm working on: gallery.zip

This topic has been closed for replies.

N

Newsgroup_User

Inspiring

> if the user submits more than one keyword at a time, such as "chevy dodge" or
> "chevy s10" in the form. I have records with both contained in them, but if I
> search for one of the above examples, I get no results. Any recommendations on
> making my SQL work better?

You need, then, to treat your keywords as a list of items (delimited by a
space), not one solitary item. And you'll need to check for a match for
each of them.

--
Adam

N

Newsgroup_User

Inspiring

> I appreciate your recommendation for me to use <cfqueryparam>, but honestly,
> I don't know how to use it.

How about after reading the docs:
http://livedocs.macromedia.com/coldfusion/7/htmldocs/00000317.htm

--
Adam

N

Newsgroup_User

Inspiring

> and times where it is not.

What's an example of when it's not?

--
Adam

D

Dan_Bracuk

Inspiring

quote:

Originally posted by: Newsgroup User
> and times where it is not.

What's an example of when it's not?
--
Adam

We are talking about cfqueryparam here.

Example 1 - db does not suppot it.
Example 2 - you want to cache your query
Example 3 - when results in excessively complicated code. This could be the case when you are building a variable that eventually becomes your sql.

C

Cameron0612Author

Known Participant

I understand. Here's why I made my SQL what it is: I wanted the query to pull and display any entry that even remotely resembled the user's form entry (FORM.Keywords). It works like I want it to, but now I've been asked to make "popular search" links for items such as "Chevy", "Ford", "Dodge", "Camper Shells", etc. By the way, you're correct about it not yielding correct results if the user submits more than one keyword at a time, such as "chevy dodge" or "chevy s10" in the form. I have records with both contained in them, but if I search for one of the above examples, I get no results. Any recommendations on making my SQL work better?

I appreciate your recommendation for me to use <cfqueryparam>, but honestly, I don't know how to use it.

D

Dan_Bracuk

Inspiring

I didn't advise you to not use cfqueryparam. There are times where it is a good idea and times where it is not. Based on what I have read so far, in your case, it probably is.

My comments concerned sql injection. Here is some information on it: http://www.adobe.com/devnet/security/security_zone/asb99-04.html

Getting back to your application, your sql will work but it's not very efficient to apply the same keyword to more than one field like that. Also, I am not sure if your approach will give you the desired result if the user submits more than one keyword.

C

Cameron0612Author

Known Participant

Believe me, I would if I knew how and knew that it would get this thing to work. I literally need someone to explain how to do this in depth.

Also, as of now, I'm going to take Dan's advice. He's posted over 3000 times, likely, not out of ignorance. Besides, if someone REALLY wants to get in and destroy my database, they can go for it. It's very small and I have a backup. Thanks for your help, though.

A

Anonymous

YOU REALLY HAVE TO USE CFQUERYPARAM.

There are soo many reasons why you should. Just cos this other dude couldn't get sql injection to work, doesn't mean that lots of other people in the world can't

C

Cameron0612Author

Known Participant

Ok, here's what my current query looks like:

<cfquery name="PicSearch" datasource="truckers">
SELECT *
FROM Pictures
WHERE ( (Make LIKE '%#FORM.Keywords#%')
OR (Model LIKE '%#FORM.Keywords#%')
OR (Caption LIKE '%#FORM.Keywords#%') )
</cfquery>

What do I need to add in order to make a link that pulls, say, only WHERE make, model, or caption contains "chevy?" I really am a CF noob of sorts, and. for what it's worth, you're talking over my head. I need someone to explain all the elements I need to have in place in order for this to work. If I need to modify the query, make a new query, or otherwise.

Here's my search form as well:

<form action="gallery.cfm" method="post">
Search Pictures:
<cfoutput>
<input type="text"
name="keywords"
size="30"
maxlength="50"
value="#FORM.Keywords#">
</cfoutput>
<input type="submit" value="Search">
</form>

I really appreciate your help so far...

D

Dan_Bracuk

Inspiring

For all those waving the sql injection flag, have you ever been able to successfully do it in a text field? I've tried and the query either crashed, or the sql was treated as regular text.

I could get the sql to execute in numeric fields, but not text.

A

Anonymous

jeez guys...
When you are lettings users enter SQL into your system, you have to be very very very careful.

Use <cfqueryparam> this will not only type your variable and prevent SQL injection, but it will also help performance by allowing CF to cache the underlying preparedStatement

A

alternative7111044

Participant

sql insertion can be done as long as there is place for input

Show more replies

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded