Ok, I've looked at this for a while now and I'm just not seeing what the issue is. I have a page which is setup to delete records from a table. I'm getting a CF error when I submit.
CF Error:
Attribute validation error for tag cfoutput.
The value of the attribute query, which is currently "delSystem" , is invalid.
The error occurred in C:\Inetpub\wwwr oot\Security_Ac cess\systemSubm it.cfm: line 25
23 :
24 : <cfif isDefined("URL. op") and URL.op IS "del">
25 : <cfoutput query="delSyste m">
26 : Record #sysID# deleted!
27 : </cfoutput>
Here is the code snippet: -
<cfif isDefined("URL.op") and URL.op IS "del">
-
<cfquery name="delSystem" datasource="Security_Access" dbtype="ODBC">
-
delete from tblSystem
-
where sysID=#URL.sysID#
-
</cfquery>
-
<cfoutput query="delSystem">
-
Record #sysID# deleted!
-
</cfoutput>
-
</cfif>
-
I don't see what the issue is because delSystem is named correctly, and the query does run because when I check the database table after, I see that the record gets deleted. This is the only query I'm having an issue with, and it's a delete query. Is there something special because I'm deleting?
4  3360 
nevermind, I'm a moron...
I need to use #URL.sysID# not #sysID#
It's friday...no more coding for me
This is off-topic but your example is a perfect demonstration on how to create a sql injection and a cross site scripting vulnerability.
To prevent sql injections you should always use the VAL of a numeric values and escape string values of all URL or FORM variables. If you are not familiar with sql injection, here is an example using your sample code:
templatename.cf m?op=del&sysID= 0%20or%201%3D1
which will be processed in your query as: -
<cfquery name="delSystem" datasource="Security_Access" dbtype="ODBC">
-
delete from tblSystem
-
where sysID=0 or 1=1
-
</cfquery>
-
which in turn will produce devistating result to you database. This is a simple example. If a hacker finds a sql injection door open, he or she can do much more damage than this. Correcting the problem is simple: -
<cfquery name="delSystem" datasource="Security_Access" dbtype="ODBC">
-
delete from tblSystem
-
where sysID=#Val(URL.sysID)
-
</cfquery>
-
Cross site scripting or XSS is when a hacker can cause a client browser to display and execute unwanted and possibly dangerous scripting code. The part in your sample of concern is here:
templatename.cf m?op=del&sysID% 3Cscript%20lang uage%3D%22JavaS cript%22%20type %3D%22text%2Fja vascript%22%3Ea lert%28%22You%2 7re%20screwed%2 1%22%29%3B%3C%2 Fscript%3E
which will process in your display block as: -
<cfoutput query="delSystem">
-
Record <script language="JavaScript" type="text/javascript">alert("You're screwed!");</script> deleted!
-
</cfoutput>
-
XSS is harder to prevent than sql injection. The site www.owasp.org details both these vulnerabilities more and have links to even more info. I highly recommend that you research this further.
acoder 16,027
Recognized Expert Moderator MVP
Excellent info. Do you think you could write a quick article based on this?
Wow, that's very handy. I'm pretty safe because I'm behind a firewall. This is our company intranet site, but I will definitely make note of this and use this in my code from now on.
Sign in to post your reply or Sign up for a free account.
Similar topics | |
by: Chumley the Walrus |
last post by:
IN my code behind .vb page for a delete records script (this also does
a deletion confirmation with a javascript popup, this gets called on
my front .aspx page with the datagrid), I'm not sure if he
row.delete() in my Delete_Row sub is correct because when deleting a
record from the dbase, it doesnot get deleted from the actual
database, even tho on the datagrid it does show that the record is
deleted:
'''''''''''''
|
by: Alex |
last post by:
Hi,
I have two tables , A and B where table B has a foreign key constraint
to table A.
I want to delete all records in table A that are older than a certain
date that are not referenced by table B.
When I use a DELETE FROM the entire transaction fails as soon as a
referential integrity violation is detected.
|
by: Steven Fox |
last post by:
============================================================
About DB2 Administration Tools Environment
============================================================
DB2 administration tools level:
Product identifier SQL08015
Level identifier 02060106
Level DB2 v8.1.5.449
Build level s040212
PTF WR21334...
|
by: gaffar |
last post by:
Sir,
I am developing an application in vb.net and the backend database is
ms-access my problem is i want delete one record from master table, that
deleted record automatically deleted from child table. how this problem is
solved any one knows please give me source code.
It is very urgent.
Thnking you sir,
|
by: brad.goldberg |
last post by:
I have a field that auto increments a number for each record. 0001,
0002 and so on. I also have two buttons on the form. One button is used
to "save" the record after all fields are entered. After a record is
saved and the user moves onto a new record all the fields in the
previous record become locked to prevent accidental/or malicious
deletion/editing of fields. If something needs to be changed I have an
Edit button which temporarily...
| | |
by: Andy.I |
last post by:
Hi
I have a small aplication that stores data in a random access file. I'm able
to modify records, and add new records. But how can I delete a certain
record and remove it enirely from the file?
/A.
|
by: Phil Stanton |
last post by:
Sorry to repost, but am having another look at deleting a record.
I have a form (Member) and have removed all the event procedures associated
with the Form (OnCurrent, OnDelete, OnActivate etc)
When I click on the record bar and press delete it comes up with the correct
message "You are about to delete 1 record ....", the record count drops by 1
and I say "Yes - delete it". Seems OK, record is no longer there.
Than after closing the form...
|
by: ashwini1680 |
last post by:
I have a problem working with files in c++.This is my code for modifying a record in a file.When i execute it ,it doesn't check rec in file & comes out .What's wrong???
Many time working with file(adding record &then printing on screen or after deletion print the rec )last rec is read twice or otherwise each rec ie read twice I have checked my code.Still it's not working Pls help me If u can give correct code it will help me.
...
|
by: thesti |
last post by:
hello guru,
actually this is a general Database question,
i wonder how to implement record deletion in a table,
if for example i delete a record in the 'Product' table, then when a user wants to see the 'Monthly Sales Report' there could be an error if the Sales table has a reference to the record in 'Product' table that has been deleted. and also in this case, it doesn't seems right to CASCADE the deletion to the any other table...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
