I can only figure out how to debug on the flex side

Report · Sep 30, 2008

I am calling CFC methods from my flex applications but I can only figure out how to debug on the flex side. Is it possible to debug on the CFC methods begin called from flex? I don't think this is possible but you may prove me wrong 🙂

Report · Sep 30, 2008

Hi,

Try adding a <mx:TraceTarget> tag to your mxml file...

And then have a look at your debugging panel for the required information.

Report · Sep 30, 2008

Thanks.

As a workaround I tried returning the thing that I suspect the problem lies:

<cffunction name="updateField" access="remote" returntype="String">
<cfargument name="field" required="true" type="string">
<cfargument name="currencyName" required="true" type="string">

<cfargument name="value" required="true" type="Numeric">

<cfquery name="q" datasource="#datasource#">
update tbale
set <cfqueryparam value="#arguments.field#" cfsqltype="cf_sql_varchar"> =
<cfqueryparam value="#arguments.value#" cfsqltype="cf_sql_float">
where currencyName =
<cfqueryparam value="#arguments.currencyName#" cfsqltype="cf_sql_varchar">
</cfquery>

<cfset flash.result="update RATES #arguments.field#" >
<cfreturn flash.result>
</cffunction>
but the following line does not return the correct string:

<cfset flash.result="update RATES #arguments.field#" >

I do I add arguments to the string?

Report · Sep 30, 2008

Hi,

What exact output you are getting there?...

Also do you have a fault handler in your <mx:RemoteObject> tag while calling the CFC?.. If so what error is that throwing?..

Report · Sep 30, 2008

For when using this function i get returned: update RATES set Barclays = 3

<cfquery name="q" datasource="#datasource#">
update RATES
set <cfqueryparam value="#arguments.field#" cfsqltype="cf_sql_varchar"> =
<cfqueryparam value="#arguments.value#" cfsqltype="cf_sql_float">

</cfquery>

<cfset flash.result="update RATES set #arguments.field# = #arguments.value#" >
<cfreturn flash.result>

Report · Sep 30, 2008

No change occurs in the database when this function is called.

However if I put

update RATES set Barclays = 3

in the sql editor it works

Report · Sep 30, 2008

The simplest way to debug cold fusion code is with a web browser. Write a simple page that invokes your code both as a webservice and cfc and look at the debugging information.

Once you know your component works properly, don't mess with it. Subsequent problems will be something else.

Report · Sep 30, 2008

I isolated the problem:

This will work:

update RATES set #arguments.field# = #arguments.value#

but this will not:

update RATES set <cfqueryparam value="#arguments.field#" cfsqltype="cf_sql_varchar"> = #arguments.value#

Surly I must be able to use the
<cfqueryparam value="#arguments.field#" cfsqltype="cf_sql_varchar">
in place of
#arguments.field#
in my query as I need to protect from sql injection?

Report · Sep 30, 2008

sure, but use it on the VALUE part, not the FIELD NAME.

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

Report · Sep 30, 2008

But I must use it on the field because that part is still vulnerable to sql injection. Am I wrong in this?

Report · Sep 30, 2008

quote:

Originally posted by: nikos101
But I must use it on the field because that part is still vulnerable to sql injection. Am I wrong in this?

yes

Report · Sep 30, 2008

Please assure me, I can't afford a mistake here. I'm pretty sure an arbitrary string inserted into #arguments.field# could cause a breech.

Could you spoon feed me a bit of code that checks that #arguments.field# only contains alpha numeric characters, I can't be bothered relearning how to do this in CF 😉

Report · Sep 30, 2008

I'd use a list function myself.

var ListofFields = "field1,field2,etc";
var goodargument "false";
if ListFind(ListOfFields, arguments.field) gt 0)
goodargument = true;

Then you can use the goodargument variable to decide whether or not to run your query.

Report · Oct 01, 2008

I researched refind and used this to protect my sql

<cfif REFind("^[a-zA-Z0-9]+$", arguments.field) >

<cfquery name="q" datasource="#datasource#">

update RATES set #arguments.field# = <cfqueryparam value="#arguments.value#" cfsqltype="cf_sql_float">
where currencyID =
<cfqueryparam value="#arguments.currencyID#" cfsqltype="cf_sql_integer">

</cfquery>
</cfif>

Report · Oct 01, 2008

For quick debugging I find it easy to add cftry/catch in server code and use use cfdocument to generate a PDF of the error. Overall probably the most useful debug tool for me is Charles ( http://www.charlesproxy.com/) which allows you to see your AMF results (and much more) easily.