cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

cfquery fails with conditional query stored in a variable

Guest
Sep 22, 2010 Sep 22, 2010

Following code doesnt work. Can anyone explain why?

<cfset myquery="select * from employee where id = '10'">
<cfquery name="a" datasource="mydsn">
#myquery#
</cfquery>

TOPICS
Advanced techniques
1.1K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adam Cameron.
LEGEND , Sep 22, 2010 Sep 22, 2010

What do you mean by "doesn't work"?  You really ought to read this before posting: http://forums.adobe.com/thread/607238.

Is the ID really a string-oriented column?  I would expect it to be an integer, so it oughtn't have the quotes.

Also, if you are doing what you're doing, if your variable has single quotes in it, you'll need to use preserveSingleQuotes() to stop CF escaping them.

--
Adam

Translate
replies 9 Replies 9
latest latest Jump to latest reply
Adam Cameron.
LEGEND ,
Sep 22, 2010 Sep 22, 2010

What do you mean by "doesn't work"?  You really ought to read this before posting: http://forums.adobe.com/thread/607238.

Is the ID really a string-oriented column?  I would expect it to be an integer, so it oughtn't have the quotes.

Also, if you are doing what you're doing, if your variable has single quotes in it, you'll need to use preserveSingleQuotes() to stop CF escaping them.

--
Adam

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Sep 22, 2010 Sep 22, 2010
In Response To Adam Cameron.

My sincere apologies for not reading that thread before posting because of which my post which seemed fine to me doenst seem the same any longer.

Anyway, yes you are right that the column is a string oriented one because of which I am using single quotes. And you are right again about escaping single quotes which was the real problem. Once I used the function mentioned, it worked prefectly.

Thanks again.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
-__cfSearching__-
Valorous Hero ,
Sep 22, 2010 Sep 22, 2010
In Response To Deleted User
Once I used the function mentioned, it worked prefectly.

While PreserveSingleQuotes() is the correct function to use to resolve that error, be sure you understand the security ramifications of using it. ColdFusion automatically escapes single quotes to help combat sql injection.  PreserveSingleQuotes() prevents that from happening.  So if your sql string includes user supplied values, it may be vulnerable to sql injection.

Message was edited by: -==cfSearching==-

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dan_Bracuk
LEGEND ,
Sep 22, 2010 Sep 22, 2010
In Response To -__cfSearching__-

Are you sure about that?  All of my sql injection test results suggest otherwise.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
-__cfSearching__-
Valorous Hero ,
Sep 22, 2010 Sep 22, 2010
In Response To Dan_Bracuk

All of my sql injection test

results suggest otherwise.

As I mentioned on another thread, a quick search of google will turn up many articles that concur.  So your comments suggest that either your tests are incorrect, or perhaps you have a database that is not capable of executing multiple statements.  Please post more details about which database and what tests you are using.  Since it is rather trivial to reproduce, either something in your tests is very wrong or you are omitting some key details ...

Message was edited by: -==cfSearching==-

Message was edited by: -==cfSearching==-

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dan_Bracuk
LEGEND ,
Sep 22, 2010 Sep 22, 2010
In Response To -__cfSearching__-

To summarize, with MSSql, which does allow multiple queries in a cfquery tag, you can get a user entered query to execute if the datatype is numeric.  If the field was char or varchar, the form field would be treated as a single string.   It was awhile ago, but I think with date fields, the query would simply crash.

My tests also include javascript.  To make a long story short, those who rely only on cfqueryparam for security are unprotected.

But then again, maybe my tests were wrong.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
-__cfSearching__-
Valorous Hero ,
Sep 22, 2010 Sep 22, 2010
In Response To Dan_Bracuk

To make a long story

short, those who rely only on cfqueryparam for security are

unprotected.

I disagree with that statement, and you do not really explain why you think it is unprotected. Could you provide an example of a query that is unprotected with cfqueryparam?

 

But then again, maybe my tests were wrong.

But .. the previous conversation was about your disagreement with my statement: "using PreserveSingleQuotes() makes queries insecure." If you are not able to easily reproduce that vulnerability in a simple test against MS SQL, then I would agree. Your tests are wrong.

http://www.coldfusionmuse.com/index.cfm/2008/7/21/query-string-with-cfqueryparam

-Leigh

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Dan_Bracuk
LEGEND ,
Sep 22, 2010 Sep 22, 2010
In Response To -__cfSearching__-

Regarding:

Could you provide an example of a query that is unprotected with cfqueryparam?

insert into sometable

(somefield)

values

(<cfqueryparam value = "<script>code goes here;</script>">

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
-__cfSearching__-
Valorous Hero ,
Sep 22, 2010 Sep 22, 2010
LATEST
In Response To Dan_Bracuk

insert into sometable

(somefield)

values

(<cfqueryparam value = "<script>code goes

here;</script>">

That is not sql injection. It is script injection which requires totally different protection methods.  As I am sure you know.  We were talking about a specific sql injection risk posed by using PreserveSingleQuotes().  http://en.wikipedia.org/wiki/SQL_injection

>> PreserveSingleQuotes() .... it may be vulnerable to sql injection.

...

>>>> Are you sure about that?  All of my sql injection test results

>>>> suggest otherwise.

... Are you suggesting PreserveSingleQuotes() IS safe from your script injection example?

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices