When running a query with EncryptByKey and cfqueryparam, the value appears to be getting truncated.
For example:
<cfset customer_number = 123 />
<cfset soc_sec_number = "123-45-6789" />
<cfquery datasource="web_applications">
OPEN SYMMETRIC KEY SSNKey
DECRYPTION BY CERTIFICATE SSNCert;
UPDATE
Customers
SET
SSN_Encrypted = EncryptByKey( Key_GUID( 'SSNKey' ), <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#soc_sec_number#" > )
WHERE
customer_number = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#customer_number#" > ;
CLOSE SYMMETRIC KEY SSNKey;
</cfquery>
The resulting database value, when decrypted, is "1". If I remove the <cfqueryparam>, the whole value is stored without issue. Additionally, this issue only occurs when used in conjunction with EncryptByKey.
We're using CF 2018 and sql 2016. This just began to be a problem yesterday. It may or may not be related, but our power was lost yesterday. Is is possible that some cf file was corrupted, or some encoding setting was changed? How would I check for this?
UPDATE:
When performing the following query:
<cfquery name="get_ssn">
OPEN SYMMETRIC KEY SSNKey
DECRYPTION BY CERTIFICATE SSNCert;
SELECT
CONVERT( VARCHAR, DecryptByKey( [ssnEncrypted] ) ) AS decrypted_ssn
FROM
customers
WHERE
Customer.customer_number= <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#customer_number#" > ;
CLOSE SYMMETRIC KEY SSNKey;
</cfquery>
The resulting value of decrypted_ssn is as follows:
<cfdump var="#get_ssn.decrypted_ssn#"> -> 123-45-6789
<cfdump var="#right(get_ssn.decrypted_ssn, 4)#"> -> 89
in sql studio -> 1
I suspect some encoding issue at this point, since coldfusion returns the full value but thinks that right(123-45-6789, 4) is 89 rather than 6789
I'm not sure how to test this theory.
UPDATE:
I've confirmed this issue is arising on more than one table, and with more than one symmetric key.
UPDATE again:
The string saved using cfqueryparam, when the LEN() command is used, outputs 22, whereas the value WITHOUT cfqueryparam outputs 11.
UPDATE:
I followed the solution Here, which seemed to resolve my issue. But I want to understand how this happened. The connection didn't seem to require this until yesterday, when the power went out and the server restarted.
Related
The application in question runs on Coldfusion 11 with hotfix 7 and running on a Linux server that is connected to a Windows Oracle database. The goal is to make the application run on Linux which is a step by step process (which is why the database in on Windows server).
I know the database works because it connects successfully via the Coldfusion administrator panel and this SQL statement returns an user_id successfully:
<cfquery name="qUser" datasource="#Application.datasource#">
SELECT td_user_id
FROM td_user
WHERE ROWNUM <= 1
</cfquery>
The code in question is such:
<cfstoredproc procedure="td_session_pkg.new_session" datasource="#application.datasource#">
<cfprocparam type="In" cfsqltype="CF_SQL_CHAR" value="#arguments.username#">
<cfprocparam type="In" cfsqltype="CF_SQL_CHAR" value="#arguments.password#">
<cfprocparam type="In" cfsqltype="CF_SQL_CHAR" value="#cgi.remote_addr#">
<cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" value="#rand_int#">
<cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" value="#application.app_id#">
<cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" value="1">
<cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" value="#pwdRequired#">
<cfprocparam type="Out" cfsqltype="CF_SQL_CHAR" variable="sid">
</cfstoredproc>
<!--- Test --->
<cfquery name="testS" datasource="#Application.datasource#">
SELECT
sys_context('USERENV','SID') AS theSid
FROM dual
</cfquery>
<cfthrow message="SID: #sid# and #testS.theSid#">
The cfthrow returns
SID: (blank here) and 37
I've had tried many things but have yet to return the sid correctly (it is needed to continue user authentication). The values inside the cfprocparam tags are variables stated above and all have valid values.
Coldfusion variables are not case sensitive, as stated by Adobe
Any insight as to why this wouldn't return the sid and why the SQL statement would? (from my research I believe they are the same thing).
Thanks for the help, I am will and answer any questions quickly.
Since the code I posted in comments has the white-space mangled:
SET SERVEROUTPUT ON;
DECLARE
sid VARCHAR2(20);
BEGIN
td_session_pkg.new_session(
'username',
'password',
'remote_addr',
0,
0,
1,
0,
sid
);
DBMS_OUTPUT.PUT_LINE( 'SID' || sid );
END;
/
Run this in an SQL client (i.e. SQL developer or SQL/Plus) from the user you would connect to via ColdFusion.
The aim is to test that the database:
Has the procedure.
The database user has access to it.
The procedure runs in the database.
The procedure gives the expected result.
Running the query successfully will tell you that #1-#3 are fine and you can check #4 against your expectations.
If any aren't as expected then you know the problem is at the database end and not in ColdFusion.
If they run as expected then you can start looking at the CF settings to make sure your datasources are pointing where you expect (i.e. are they connecting to the correct user) and that the datasource has permissions to execute procedures.
Then if that is all correct, look at the variables you are passing into the <CFSTOREDPROC> and <CFPROCPARAM> tags - are the datasource and variables as expected.
If you want to formalize it as you go then you could write unit & integration tests which cover the steps you try and next time you want to test things you just run the test suites.
I am getting this error and don't understand why:
Error Executing Database Query. [Macromedia][SQLServer JDBC
Driver][SQLServer]Invalid column name 'buildno'. The error occurred
in C:/data/wwwroot/webappsdev/cfeis/redbook/redbook_bio_load.cfm: line
10
8 : select *
9 : from redbook_bio
10 : where build_num = '#session.build_num#'
11 : </cfquery>
12 :
VENDORERRORCODE: 207 SQLSTATE: 42S22 SQL: select * from
redbook_bio where buildno = '4700' DATASOURCE: xxxx
******"
It is saying buildno is an invalid column name, but I do not have that name in my query. I used to, but changed both the column in the database and the column name in the query to build_num. You can see my exact code with line numbers, and that there is no 'buildno' in there. But looking at the SQL statement below that, it is still trying to use 'buildno'.
I had my editor check the directory for anywhere it says buildno and no results came back. I have restarted the CF Service and cleared the cache. Why would it still be trying to run it with buildno instead of build_num like the code says?
There was a cfquery cache setting in the Administrator. We had it set to 100. Apparently clearing the cache template and component cache doesn't clear the cfquery cache. I changed the query name and it fixed the problem. It most likely could have been fixed by setting the cfquery cache value to 0.
In Powerbuilder I am trying to update a table (Oracle) with blob but get sqlerror, "Database statement must refer to blob variable". My declaration and updateblob statements are as follows:
blob lblob_newxml
long llong_subid
UPDATEBLOB RP_XML_FORMS SET XML_DOC = :lblob_newxml
WHERE SUBMISSION_ID = :llong_subid
USING SQLCA;
Does anybody know why it is happening and or how to solve this problem? Thanks.
To get more information on this problem and the possible causes, I'd run with one of the database traces turned on. (You can check out database trace options in the Connecting to Your Database manual; link may not be appropriate for your PB version, which you haven't mentioned yet.) This may or may not tell you more, but it tracks everything between the app and when the PB drivers pass the commands "over the wall" to the database's driver.
Good luck,
Terry.
"The PowerBuilder VM can get the SQL syntax for the following types of errors, and passes it to the Transaction object’s DBError event for the following types of errors: ..." (see this page).
If your lblob_newxml is null then use this update statement instead:
UPDATE RP_XML_FORMS SET XML_DOC = NULL
WHERE SUBMISSION_ID = :llong_subid
USING SQLCA;
i had a stored proc for which i made changes and added 2 new form fields to a stored proc
and then ran it successfully
now when i revoke the stored proc and run , it runs successfully but in the coldfusion
it gives the error
[Macromedia][SQLServer JDBC Driver][SQLServer]Insert Error: Column name or number of supplied values does not match table definition.
90 : <cfprocparam type="in" cfsqltype="CF_SQL_INTEGER" dbvarname="#reportMonth" value="#xxMDB#">
91 : <cfprocparam type="in" cfsqltype="CF_SQL_INTEGER" dbvarname="#orderBy" value="#xxOBDB#">
92 : **<cfprocresult name="xxResult">**
93 : </cfstoredproc>
Since ColdFusion MX:
Changed the dbvarname attribute
behavior: it is now ignored for all
drivers. ColdFusion uses JDBC 2.2 and
does not support named parameters.
http://www.cfquickdocs.com/cf8/#cfprocparam
I have a query that is being used in a coldfusion file (MX)( on the Production since 10 yrs ).
I have used this application/files since 4 months,successfully.
But now ,Suddenly I am getting the error
Element RECORDCOUNT is undefined in "yyReslt"
Will this occur if the Database connection is slow/improper?
Are there any conditionals around the cfquery? Are you sure it is being ran? You should turn on debugging for your IP address to make sure the query is running.
Also, you would get a different error if the connection timed out.
Sounds like your query might have some cfif statements in/around it, and nothing is being done. In addition to what Jason mentioned, you can also use cfdump to view the query object on your screen without turning on the debug data.
<cfdump var="#yyReslt#">
This also could be a concurrency issue combined with unscoped variables if happening within the context of a component that exists in the application scope, but the query variable was not scoped within the component.
<cfcomponent>
<cffunction name="foo">
<cfquery name="yyReslt" datasource="DB">
SELECT ...
</cffunction>
<cfif yyReslt.RecordCount GT 1>
.... DO SOME WORK ....
</cfif>
</cfcomponent>
simply scoping yyReslt at the before the query would fix this.
<cfset var yyReslt = "" />
All variables need to be scoped, varscoper is helpful in checking components for scoping omissions.
http://varscoper.riaforge.org/