Skip to main content
E
EwokStud
Known Participant
August 20, 2009
Question

WHERE ID="gb_entryID"

  • August 20, 2009
  • 3 replies
  • 3030 views

One of the most basic CF questions in CFQUERY one can ask, is the WHERE clause, for which I am perplexed.  The book "ColdFusion in 21 Days" manual I purchased several years ago contains the where clause containing WHERE ID="ID" and I know I should be able to decipher the first element.  I am familiar with SQL enough to know the second element refers to the tablefield: gb_entryID (which I created in MS Access).  I do not know what the first element refers to, but I think it has something to do with the NAME attribute in the hidden input tag which contains the VALUE referencing the field: gb_entryID.  I have someone who uses call_number, and he said to use it as I did below.  I cannot consult him any longer, as he passed away a few weeks ago.  What is call number?

My situation is that I get an error message: Variable GB_ENTRYID is undefined.

I have two versions of the guestbook listing: one that the public sees (gb.cfm), and another listing  (gb_mstr.cfm) that I can click on an icon for each entry, to edit just that one record for for misspellings or profanity, or click a checkbox to suspend to public viewing of the entry.  My gb_mstr.cfm page is the page containing links to edit detail of each record, and is for my eyes only.

Here's my guestbook.mdb table structure: gb_entryID (unique), gb_entry_nm_l (text), gb_entry_nm_f (text), gb_entry_m (memo) and here is my HTML/CFML pages:

Entry Edit Page named gb_edit.cfm (available only from gb_mstr.cfm listing page):

<CFQUERY NAME="edit_entry" DATASOURCE="guestbook">
SELECT *
FROM gb_entries
WHERE call_number=#gb_entryID#
</CFQUERY>

<HTML>
<HEAD>
<TITLE>Edit This Entry</TITLE>
</HEAD>
<BODY>
<TABLE>
<TR>
  <TD>
   <TABLE
    WIDTH="100%"
    BORDER="0"
    CELLPADDING="5"
    CELLSPACING="0">
<TR>
  <TD
   VALIGN="top"
   WIDTH="200">
   <A HREF="gb_mstr.cfm">Back to the Master Guestbook</A>
  </TD>
  <TD VALIGN="top">
   <CFOUTPUT QUERY="edit_entry">
   <FORM
    NAME="f_gb_entry"
    ACTION="gb_confirm.cfm"
    METHOD="post">
   <B>Your First Name:</B>
   <BR>
   <INPUT
    TYPE="text"
    NAME="gb_entry_nm_f"
    VALUE="#gb_entry_nm_f#">
   <P>
   <B>Your Last Name:</B><BR>
   <INPUT
    TYPE="text"
    NAME="gb_entry_nm_l"
    VALUE="#gb_entry_nm_l#">
  <BR>
  Uncheck the box to display First Name only:
  <INPUT
   TYPE="checkbox"
   CHECKED
   NAME="gb_entry_nm_l_dspl_x">
   <P>
   <B>Your Email Address:</B><BR>
   <INPUT
    TYPE="text"
    NAME="gb_entry_tce"
    VALUE="#gb_entry_tce#"
    SIZE="40"
    MAXLENGTH="40">
  <BR>
  Uncheck the box to keep email private:
  <INPUT
   TYPE="checkbox"
   checked
   NAME="gb_entry_tce_dspl_x">
   <P>
   <B>Your Comments:</B><BR>
   <TEXTAREA
    COLS="45"
    MAX="50"
    ROWS="5"
    NAME="gb_entry_m">
   #gb_entry_m#
   </TEXTAREA>
   <P>
   <INPUT
    TYPE="hidden"
    NAME="gb_entryID"
    VALUE="#gb_entryID#">
   <INPUT
    TYPE="submit"
    VALUE="Update Your Entry">
   </FORM>
   </CFOUTPUT>
  </TD>
</TR>
</TABLE>
</TD></TR>
</TABLE></BODY>
</HTML>

Guestbook Master Listing named gb_mstr.cfm (for site owners' eyes only):

<CFQUERY NAME="dspl_entries" DATASOURCE="guestbook">
SELECT gb_entries.*, IIf([gb_entry_nm_l_dspl_x]=Yes,[gb_entries].[gb_entry_nm_f] & ' ' & [gb_entries].[gb_entry_nm_l],[gb_entries].[gb_entry_nm_f]) AS nm_z, IIf([gb_entry_tce_dspl_x]=Yes,IIf(IsNull([gb_entries].[gb_entry_tce]),'','Email: ' & [gb_entries].[gb_entry_tce]),'') AS em_z
FROM gb_entries
ORDER BY gb_entries.gb_entry_dt DESC;
</CFQUERY>

<CFQUERY DATASOURCE="guestbook" NAME="edit_entries">
SELECT gb_entries.*
FROM gb_entries;
</CFQUERY>

<HTML>
<HEAD>
<TITLE>Site Owner's Master Listing of Guestbook Entries</TITLE>
</HEAD>
<BODY>
<TABLE
BORDER="0"
WIDTH="100%"
CELLPADDING="0"
CELLSPACING="0">
<CFOUTPUT QUERY="dspl_entries">
<!-- <TR>
//  <TD>
//  <B>#DateFormat('#gb_entry_dt#', "M/D/YYYY")#</B>
//  </TD>
// </TR>
// --><TR>
  <TD>
<IMG
SRC="http://65.61.35.197/md/img/icons/pencil20x20.gif"
BORDER="0">
<IMG
SRC="http://65.61.35.197/md/img/icons/magnifying_glass01_20x.gif"
BORDER="0">
<BR>
<B>Name:</B> #gb_entry_nm_f# #gb_entry_nm_l#<BR>
<B>Email:</B> #gb_entry_tce#<BR>
<B>City or Town:</B> #gb_entry_cy#, #gb_entry_stt#<BR>
<B>Comments:</B>#gb_entry_m#<BR>
<A HREF="gb_del_confirm.cfm?call_number=#gb_entryID#"
  onClick="return(window.confirm('This will PERMANENTLY delete this entry!
  Are you sure you wish to proceed?'));">
DELETE THIS TASK
</A>
</CFOUTPUT>
<FORM
  ACTION="gb_mstr.cfm"
  METHOD="post">
<CFOUTPUT QUERY="edit_entries">
<B>Delete this Entry:</B>
<INPUT
  TYPE="checkbox"
  NAME="gb_entry_del_x"
  VALUE=#gb_entry_del_x#>
</CFOUTPUT>
<BR>
<INPUT TYPE="Submit" VALUE="Save">
</FORM>
  </TD></TR>
</TABLE>
</BODY>
</HTML>

    This topic has been closed for replies.

    3 replies

    E
    EwokStudAuthor
    Known Participant
    September 29, 2009

    A belated thanks Ian!

    ilssac
    ilssac
    Inspiring
    September 29, 2009

    Me?

    Did I comment on this thread?

    Is there another Ian around here?

    T
    TLC-IT
    Inspiring
    August 20, 2009

    Here's the soap:

    • WHERE FOO="BAR" literally refers to the three-character string, "BAR."  ColdFusion sees nothing interesting that it has to do with that.

    • WHERE FOO=#BAR# on the other hand is a variable-substitution.  Something has been enclosed between hash-marks '#' therefore ColdFusion will attempt to parse and evaluate whatever's inside.  The entire construct, including the two hash-marks, will be replaced with whatever the result of that evaluation turns out to be.

    • An "SQL injection" attack consists of causing that substitution to modify the SQL string itself in some very-nasty way.  Simple string-substitution is vulnerable to that sort of thing.  Therefore, when you are constructing SQL queries using user-provided (or any...) information, you want to provide the substituted values as parameters to the query, so that the SQL server will receive a query-string with a list of placeholders and a set of values which it will substitute for each one of those placeholders.  (Thus, the user cannot modify the SQL string itself.) 

    Fortunately, it is very easy to work with parameters in SQL queries:  the <cfqueryparam> tag thoughtfully does all of the heavy-lifting for us.  The SQL server will get a properly-parameterized SQL string and, separately, the correct value that it is to insert for each parameter.  "It Just Works."

    Also review the <cfoutput> tag.  If you want to do #substitutions# in ordinary HTML text, you must enclose these areas in this tag so that CF will know to look for substitutions in those areas (which it normally does not do...).  You don't need to use this tag to demark areas which are already understood to involve substitutions.

    A
    Anonymous
    August 20, 2009

    I'm not seeing in the master list a link to edit, but based on the link to delete (which may or may not be the same), the query to get the item on the edit page may be this:

    <CFQUERY NAME="edit_entry" DATASOURCE="guestbook">
    SELECT *
    FROM gb_entries
    WHERE call_number=#url.call_number#
    </CFQUERY>

    You should look at the cfqueryparam tag for your query variables for security:

    <CFQUERY NAME="edit_entry" DATASOURCE="guestbook">
    SELECT *
    FROM gb_entries
    WHERE call_number=<cfqueryparam cfsqltype='cf_sql_varchar' value='#url.call_number#'>
    </CFQUERY>

    This prevent a sql injection attack.

    Byron Mann

    mannb@hostmysite.com

    byronosity@gmail .com

    Lead Software Architect

    hosting.com | hostmysite.com

    http://www.hostmysite.com/ ?utm_source=bb

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices