Cold Fusion 8 - Login Problems

Report · Oct 26, 2017

I recently started to get an error message when logging into my site after years of it working fine. I am more on the marketing/financial side so feel free to talk down to me. Here is the message:

The error occurred in C:/Websites/rc9c8dae/admin_essllc/login.cfm: line 91

Called from C:/Websites/rc9c8dae/admin_essllc/Application.cfm: line 36

Called from C:/Websites/rc9c8dae/admin_essllc/login.cfm: line 91

Called from C:/Websites/rc9c8dae/admin_essllc/Application.cfm: line 36

89 :

90 : <cfif #ParameterExists(Caller.FORM.Login)# IS "YES" AND #ParameterExists(Caller.FORM.Password)# IS "YES">

91 : <cfquery name="GetUserRecord" datasource="#Attributes.DATASOURCE#" username="#request.db_username#" password="#request.db_password#">

92 : SELECT * FROM #Attributes.TABLE#

93 : WHERE #Attributes.USERFIELD# = '#Caller.FORM.Login#' AND

There is a much more detailed message below this one which I can post if needed. Any help would be appreciated. I am using Cold Fusion Version 8 and Windows Server 2003.

Report · Oct 26, 2017

You will need to post a full error message. It could be that something was changed on your database server (for example the login you are using was disabled, or the password changed) causing it to fail, but all anyone can do is speculate without the error message (just make sure the error message doesn't contain anything sensitive such as passwords, server names, etc before posting it - you can just replace the actual values with X's and then post it).

I also think it is worth pointing out that the code you have posted is vulnerable to a security hole called SQL Injection (a big reason you should not post any server names in your response). So, unfortunately another possibility as to why it is not working is that an attacker got into your database and messed around with stuff. Finally I should also point out that the end of core support for CF8 ended many years ago, so Adobe stopped providing security patches for CF8 many years ago, you should consider upgrading to ColdFusion 2016 as well.

--

Pete Freitag

Foundeo Inc. - ColdFusion Consulting & Security Products

Report · Oct 26, 2017

Now I am too scared to post the full message.

Report · Oct 26, 2017

If you want send it to me directly, you can do so here: https://foundeo.com/contact/

I can let you know if it is ok to post.

Report · Oct 26, 2017

Done and thanks.

Report · Oct 26, 2017

Here is the relevant info from the full error message:

java.sql.SQLException: Datasource XX could not be found

Report · Oct 26, 2017

This means that someone has removed the datasource from the SQL server.

Whatever #Attributes.DATASOURCE# is equal to is either incorrect or the database on the server has been removed or rename.

You will first need to check the value of #Attributes.DATASOURCE# and if that is correct ask whoever runs the SQL server to check the database still exists

Report · Oct 29, 2017

clueless100 wrote
Here is the relevant info from the full error message:
java.sql.SQLException: Datasource XX could not be found

As haxtbh rightly says, ColdFusion could not find the datasource whose name was originally stored as the variable attributes.datasource. Might other attributes have changed over time as well?

To verify this, place the following debugging code temporarily just before the if-statement, that is, on line 89:

Do all the attributes exist? Does each have the value you expect?

Report · Oct 26, 2017

clueless100 wrote
90 : <cfif #ParameterExists(Caller.FORM.Login)# IS "YES" AND #ParameterExists(Caller.FORM.Password)# IS "YES">

While you're at it, change that line to

Report · Oct 26, 2017

Thanks. I will try these fixes and report back.

Report · Oct 27, 2017

As for this recommendation about parameterexists vs isdefined, I realize you're technically "right", BKBK, since the former has been deprecated since like CF3. 🙂 But honestly, since it's been deprecated for nearly 20 years and yet has not been obsoleted/removed, it doesn't seem really that important to push people to get off of it.

And honestly, I don't know why it was ever deprecated in the first place. It works just fine, and some find it easier to read/use. The only reason isdefined was added was so that the name of the variable could be specified more dynamically, if that was ever necessary. But if it's just a simple variable name like in the code above, parameterexists works just fine. (And I'm not aware of any performance difference to warrant changing it.)

None of this is really relevant to the OP's problem, but since it was brought up I thought I'd shared different perspective on the point. Not saying I'm right, either. 🙂

/Charlie (troubleshooter, carehart.org)

Report · Oct 28, 2017

Thanks for the remark, Charlie.

The documentation says:

ColdFusion MX: Deprecated this function. It might not work, and might cause an error, in later releases.

Report · Oct 28, 2017

I suppose you are saying that one can read that as implying that randomly it may just "not work" as expected, but I would read it instead as just clumsy wording warning that, yes,it could be deprecated in the future.

But I wasn't denying that it's deprecated. My point was that it's been deprecated forever. As you can see with your quote, to at least CF6 ("CFMX"). I just found a post from Adam where he and commenters confirms what I said: that it was deprecated in CF3 (http://blog.adamcameron.me/2013/08/parameterexists.html).

All that said, I don't deny that people should *probably* favor using isdefined (or other alternatives) for testing variable existence versus good ol' parameterexists. It may well be removed some day. And I'll note that besides those two, and structkeyexists (and the like), there are also the elvis operator (?:) introduced in CF11 and the "safe navigation operator" (?.) introduced in CF2016 that could perhaps supplant the need for either of those functions.

But again, all of this is way off-topic from the original post above.:-) And though he's on CF8, I hope it may help some readers.

/Charlie (troubleshooter, carehart.org)