Skip to main content
A
Anonymous
December 2, 2013
Answered

Executing coldfusion code contained in an SQL record.

  • December 2, 2013
  • 1 reply
  • 2447 views

Hi everyone,

I have coldfusion code saved in a database record. When i run a query it shows me the content of the database records but it doesn't execute it .. is there any issue to execute the query result  ?

Thanks

This topic has been closed for replies.
Correct answer Aegis_Kleais

Haha Aegis !

I know that variable names are not the same..

Actually I already tried that before.

I will explain more:

here what I have in my database record  :

<cfif 1 eq 1> ce poste nécessite un niveau linguistique : #employee_security_level# <cfelse> salut </cfif> .

and here's my code :

<cfset "employee_security_level" = "fiabilité">

<cfquery name = "getContenu" datasource="myDatabaseTest">

          select content_fre as contenu from Paragraph

</cfquery>

<cfoutput query = "getContenu">

 

 

          <cfset dataReturnedFromDBAsString = '#contenu#' />

     #evaluate( de( '#contenu#' ) )#

 

          </cfoutput>

Coldfusion repolace #employee_security_level# by its setted value . But it does't execute the cfif - cfelse .

Here's the output of my page :

Ce poste nécessite un niveau linguistique : fiabilité salut .

************************

I should use virtual files, but it's not working with Coldfusion 8, that's why i am triying to find another issue .. My app will be on my Intranet, so don't need to be too much secure.

Thanks guys 


OK, I got you.  Well, the only solution I can think of is taking your code and writing it to a file on the fly, and then including that file subsequently.  ie:

<cfoutput>

     <!--- Set a dynamic variable here. --->

     <cfset name = "Aegis" />

     <!--- Set a variable which will actually be the CF code pulled from the DB. --->

     <cfset codeFromDB = '<cfif 1 eq 1>Hello #name#<cfelse>Who are you?</cfif>' />

     <!--- Write this code to a file. --->

     <cfset fileWrite( expandPath( './code.cfm', codeFromDB ) />

     <!--- Include the written file to execute the code dynamically. --->

     <cfinclude template="code.cfm" />

</cfoutput>

The above SHOULD output:

Hello Aegis.

That way it is executing not only the CF code, but also evaluating variable names.

1 reply

A
Aegis_Kleais
Inspiring
December 3, 2013

The data coming back as a string may be able to be evaluated, ie:

<cfoutput>

     <cfset dataReturnedFromDBAsString = '<cfif 1 eq 1>Tada</cfif>' />

     #evaluate( de( dataResturnedFromDBAsString ) )#

</cfoutput>

A
Anonymous
December 3, 2013

Thanks! but your code as it is , is not working .. I'am using coldfusion 9 .. and need something working with coldfusion 8 as well :/

S
Steve Sommers
Legend
December 3, 2013

I don't think you need the de() wrapper.

Myself, I would reevaluate this logic entirely as it looks very suseptible to abuse (meaning, a hacker could do serious damage if you're not VERY careful).

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices