Strange Form Var problem

Question

grabit 0 Newbie Poster

12 Years Ago

Hi CF people and a prosperous New Year to you all

I have the following query on an action page:
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
when i run this page i get this error - Element ID is undefined in FORM.

I have checked the source code on the preceding page and the 'hidden' ID input Is defined

So
when i do a cfdump of that query
<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>
<cfdump var="#getImage#"><cfabort>

the dump shows me that the query has been run. As i would expect it tells me that both the fields i am querying are empty strings because in the case im testing this is in fact true.

ps i use this query later in the page to determine if there is in fact an image to delete

Any help as usual would be greatly appreciated
cheers
Grabit

coldfusion

5 Contributors
6 Replies
103 Views
2 Months Discussion Span
Latest Post 12 Years Ago Latest Post by arrgh

fobos 19 Posting Whiz in Training

12 Years Ago

change ID to id and see if that helps

teedoff 3 Posting Pro

12 Years Ago

Try fabos solution, but if that doesn't work, can you post your form code?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

fobos 19 Posting Whiz in Training · Answer 1 · 2012-01-20T00:30:27+00:00

fobos 19 Posting Whiz in Training

12 Years Ago

lol fabos..

grabit 0 Newbie Poster · Answer 2 · 2012-01-20T01:34:07+00:00

lol fabos..

that shouldnt make a scrap of difference as coldfusion is not case sensitive - i am unsure of what i did but this matter is now resolved
cheers
Grabit

Nighteyez07 0 Newbie Poster · Answer 3 · 2012-03-16T03:02:40+00:00

For all that is Holy, use cfqueryparam in your queries! This one of the easiest actions you can do to prevent SQL Injection in your site. Here is a sample of how to use it:

<cfqueryparam cfsqltype="cf_sql_varchar" value="#FORM.id#" />

Here is the livedocs for the function:
http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=Tags_p-q_18.html
I know the link is for CF8, but that function hasn't changed for CF9 or 10.

The reason for using this is that your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

<cfquery name="getimage" datasource ="#dsn#">
SELECT ID, partImage, ImageAlt
FROM engReconParts
WHERE ID=#form.ID#
</cfquery>

If I use firebug on your form and change that value to be: 1 OR 1 = 1 then I can return all results. Now, you think this might not be so bad, so what if I did this instead? 1; DELETE FROM engReconParts; Now you have a big problem. I'll get your code to return the result for ID 1, but now afterwards I've gone in and deleted ALL records in your engReconParts table.

arrgh 22 Posting Whiz · Answer 4 · 2012-03-17T18:40:44+00:00

your code is very easy to hack and if you're using similar formed queries, I can do some dangerous things.

Sad there are still apps out there with this kind of unprotected code .. Makes you want to ask for the company web developer's credentials before doing business online.