Skip to main content
Inspiring
September 12, 2007
Question

Need a Way to Show Autonumber when Inserting

  • September 12, 2007
  • 20 replies
  • 2492 views
Hi everyone,

I am a newbie and I am inserting a new record into a database. When that record is inserted, it is given the unique key which is generated with the autonumber field in the database.

How do I show that number on the webpage?

When I insert it into the database, the number is generated, but I can't do a query on that number because I dont know what it is (since it was JUST generated).

I am writng a classified ad site and when someone posts an ad, they are given a unique ad # and they need to know this ad number to edit their ad later. That's what I can't do ...show them their ad number.

Thanks for any and all input!! -Tony
This topic has been closed for replies.

20 replies

Inspiring
September 15, 2007
Well, Here's what I did: I passed the PIN from the input page, then on the UPDATE page, I queried the record for the PIN in the database and compared it to the one passed thru the form.

THat should do it! IF someone tries to send a form to the server's update page, they'll need to know the PIN.

SO in conclusion: the answer to returning the ID of the record that was just created is to create a UUID and then pull the record with that UUID.

Thank you everyone again, These forums are indespensible and it takes kind ppl like you to contribute. -Tony
September 14, 2007
I know the author of a linked page says he (she?) doesn't like using @@identity with SQL Server (because it's a proprietary solution), but I use it fairly regularly. Use the tools at your disposal, I say! :-)
September 14, 2007
how about another approach

i create a variable based on date/time on the form page as in

<input type="hidden" name="OrderPstNum" value="#DateFormat(NOW(), "md")##TimeFormat(NOW(), "hhmmss")#">

this is numeric

you can put a cflock around creation of OrderPstNum to make sure not duplicated...

when posted, writes to table along with all the other data.

then do a query using OrderPstNum and say LastName just getting primary key autonumber (adID). once i have that, use exclusivly.

<cfquery name="cknewad" datasource="mydata">
SELECT adID
FROM ads
WHERE LastName = '#LastName#' AND OrderPstNum = #OrderPstNum# ;
</cfquery>

<cfoutput>
<cfset adID = #cknewad.adID#
</cfoutput>
Inspiring
September 14, 2007
So, what if my update page ( just after the edit page) looked like this:

1) Cfquery the adnumber to get the PIN
2) Compare that PIN to the PIN passed from the previous page (thru URL)
3) Update the ad only if the PINs match.

I'm thinking that if a hacker creates his own form on his PC and points it to the server's update page, the update won't take place unless that hacker knows the PIN.

Does that sound right? Thanks for ALL the great info so far!! -Tony

BTW, I am ASSIGNING 5-digit PIN's; I decided that should be better. I want to try to do this site without relying on any emails whatsoever. I may ask the user to click on "send -> page by email" on their browsers if they need an email record of their PIN, but I may need to change that if the site gets big and unwieldy.
Participating Frequently
September 14, 2007
That sounds ok to me - just keep in mind what was said before about checking the id number and pin number at every step to avoid any breach of security. You might also want to consider the point made by Azadi about the benefits of having users login so they can maintain many ads at once rather than having to remember a number of unrelated ad id's and pins.
Inspiring
September 14, 2007
I really, really, really wanted to make this classifieds ad site simple enough to not require logins. For instance, Craigslist doesn't require logging in.

I know I hate logging in when making purchases on the internet; "why can't I just give you my address and CC?" I ask myself ...and some sites do this.

I'm trying to think of a way that asks for the PIN number again before inserting, but I'm wondering if the same problem would be present.

So all these CF sites can be hijacked with our own forms with an insert query or cfinsert? WOW; you'd think cold fusion would have addressed this from the begining.

I am still at a loss with what I am going to do to prevent this and require logging in. I will research the "cgi.http_referer " and see what that's about.

I"ll post an update. BTW you can see my site at 68.83.9.216/haa if you're curious. PLease don't hack it to oblivion ;-). The colors and appearance will be taken care of later but for now I"m working the mechanics out.

-Tony
Participating Frequently
September 14, 2007
Sorry but I don't really understand what the problem is.

If a user creates an ad and, as part of the creation process supplies a pin or password, then the ad is saved along with the user selected pin/password and returns an ad id number.

To edit the ad, the user enters the ad id and the pin/password - the edit page receives these two values, checks them against the stored ad and if both are correct, displays the ad and allows it to be edited. As long as every step in the edit process checks both the ad id and pin/password, there should be no problems.

Have I missed something?

cheers.
BKBK
Community Expert
Community Expert
September 13, 2007
I think the combination username, password, adnumber and pinNumber to be secure enough. So long as you may only supply your adNumber and pinNumber after logging in.

Inspiring
September 13, 2007
Dan Bracuk: Can you elaborate? I'm not sure what you have in mind.
Inspiring
September 13, 2007
quote:

Originally posted by: cf_dev2
Dan Bracuk: Can you elaborate? I'm not sure what you have in mind.

You said that you could make a form and submit it. If you did, the cgi.http_referrer variable would be different than the expected value. As a developer, I can always use the expected value to ensure the request came from the form that I wrote, not the one you wrote.

However, there is software out there, Norton Internet Security for example, that allows users to not send that information. I have it at home. I know that it work because I have to disable it when I want to do something on our work site from home.
Inspiring
September 13, 2007
Dan Bracuk wrote:
> You said that you could make a form and submit it. If you did, the cgi.http_referrer variable
> would be different than the expected value.

Duh. I read that too quickly and thought you were talking about cgi.remote_addr. Yes, that's true assuming it isn't blocked by user firewalls or simply faked. Its trivial to fake a header.

There is no perfect solution but I would go with BKBK's suggestion of implementing a login. Its more secure than relying on browser headers that may or may not be accurate and/or present.

Edit - IMO anyway
Inspiring
September 13, 2007
You can use cgi.http_referrer to guard against that. Just bear in mind that this has limitations as well, the user can refuse to send it.
Inspiring
September 13, 2007
OMG ....you're RIGHT! I never thought of that.

Is there a relatively easy way around that that can be explained in this forum or is it so involved that I'd need to get a book on cold fusion security and start reading?

THANK YOU for pointing that out. -Tony
Inspiring
September 13, 2007
cf_dev: I'm just requiring a the ad number and a PIN# that they choose to edit it. I currently have it issuing a PIN# but thought it may be more user-friendly to let them choose.

You have a suggestion?
Inspiring
September 13, 2007
Not a suggestion. Just a comment/question about the level of security.

You may have it setup differently, but it sounds like you have a screen with two text boxes: adNumber and pinNumber. The user enters the correct adNumber and pinNumber and the application displays a screen to edit the advertisement. When finished they click a submit button and the ad is updated. That setup is not secure because I create a form on my computer and submit to your site using someone else's ad number.