I am building a list using SQL data and I am trying to make each value of the list as: 'value1',value2','value,4' and so on.
My problem is that I am using this code:
(
SELECT COUNT(ns.ticket)
FROM ns_trade ns
WHERE ns.[login]=mt.[login]
AND
<cfif qGetCommentsAccounting.recordCount gt 0>
ns.COMMENT IN ('#listChangeDelims(qGetCommentsAccounting.list_comments, "','")#')
<cfelse>
1=2
</cfif>
)as no_of_tickets_accounting
which is works perfect EXCEPT when my value has comma inside like 'value,4'.
Any suggestions how to solve that?
If both queries work on the same database, it would be way more KISS to put them together. Usually, you should try to do as much as possible within your database.
SELECT
COUNT(ns.ticket)
FROM
ns_trade ns
WHERE
ns.[login] = mt.[login]
AND
ns.COMMENT IN
(
SELECT
comment
FROM
tbl_comment
WHERE
report_type = <cfqueryparam value="#arguments.type#" cfsqltype="cf_sql_varchar">
AND
report_id = <cfqueryparam value="#arguments.report_id#" cfsqltype="cf_sql_integer">
)
I fix the problem changing my query to:
<cfquery name="qGetComments" datasource="#application.dsn#">
SELECT (STUFF((SELECT ',' +CHAR(39) +CAST(comment as varchar(50)) +CHAR(39)
FROM tbl_comment
WHERE report_type = <cfqueryparam value="#arguments.type#" cfsqltype="cf_sql_varchar">
AND report_id = <cfqueryparam value="#arguments.report_id#" cfsqltype="cf_sql_integer">
FOR XML PATH('')),1, 1, '')) as list_comments
</cfquery>
where CHR(39) is the single quote and later on the other query (wich is inside an cfsavecontent):
(SELECT COUNT(ns.ticket)
FROM ns_trade ns
WHERE ns.[login]=mt.[login]
AND <cfif qGetCommentsAccounting.recordCount gt 0> ns.COMMENT IN (#qGetCommentsAccounting.list_comments#)
<cfelse>
1=2
</cfif>)as no_of_tickets_accounting
and execute it with PreserveSingleQuotes()
Related
I have the column deletedTime in my instances table.
Now I want to check in ColdFusion if the value is null.
There is only one record to be printed out with the query.
IsNull(test) is returning the correct value,
but IsNull(searchForDeletedInstances.deletedTime) returns false but the value is in the datatable null..
<cfquery datasource="hostmanager" name="searchForDeletedInstances">
SELECT deletedTime
FROM instances
WHERE instanceId = <cfqueryparam value="#instanceId#"
cfsqltype="CF_SQL_NVARCHAR">
</cfquery>
<cfloop query="searchForDeletedInstances">
<cfset test= #deletedTime#>
</cfloop>
<cfreturn IsNull(test)>
<cfreturn IsNull(searchForDeletedInstances.deletedTime)>
I would do the test in the query.
<cfquery datasource="hostmanager" name="searchForDeletedInstances">
SELECT deletedTime
FROM instances
WHERE instanceId = <cfqueryparam value="#instanceId#" cfsqltype="CF_SQL_NVARCHAR">
AND deletedTime IS NULL
</cfquery>
<cfreturn BooleanFormat(searchForDeletedInstances.recordcount)>
ColdFusion 2018 does allow for NULL values but the server/site has to be configured to use it. This may break a lot of older code.
ColdFusion before 2018 will use an empty string for NULL values.
I would change the query to only look for NULL deletedTime records. Then use the searchForDeletedInstances.recordCount value to determine if a NULL record was found. The code would look something like this:
<cfquery datasource="hostmanager" name="searchForDeletedInstances">
SELECT deletedTime
FROM instances
WHERE instanceId = <cfqueryparam value="#instanceId#" cfsqltype="CF_SQL_NVARCHAR">
AND deletedTime IS NULL
</cfquery>
<cfset nullRecord = searchForDeletedInstances.recordCount ? true : false>
<cfreturn nullRecord>
Null values from a query come back as empty strings. Test for IsDate() instead. You can always use cfdump to show the contents of your query so you can see the data and data types returned.
I'm building a query in my system that should take user input and search the Users table in my database. There are three different options that I need to filter in my query. First would be if user enters just John that is first name, second is if they enter Miller that is last name and the third option is if they combine first and last name separated by comma or space like John Miller or John, Miller. In our old system the query that was filtering these kind of situations where user enters the name looks like this:
<cfif Find(',',arguments.searchFldVal) and ListLen(arguments.searchFldVal) GT 1> <!--- if comma exists --->
<cfset theLName = Trim(ListGetAt(arguments.searchFldVal,1))>
<cfset theFName = Trim(ListGetAt(arguments.searchFldVal,2))>
(
u_lastName LIKE <cfqueryparam value="#theLName#%" cfsqltype="cf_sql_varchar" />
AND
u_firstName LIKE <cfqueryparam value="#theFName#%" cfsqltype="cf_sql_varchar" />
)
<cfelseif Find(' ',arguments.searchFldVal) and not find(',',arguments.searchFldVal)><!--- if space exists --->
<cfset spaceIndex = Find(' ',arguments.searchFldVal)>
<cfset theFName = Trim(Mid(arguments.searchFldVal,1,spaceIndex-1))>
<cfset theLName = Trim(Mid(arguments.searchFldVal,spaceIndex+1,len(arguments.searchFldVal)-spaceIndex))>
(
u_lastName LIKE <cfqueryparam value="#theLName#%" cfsqltype="cf_sql_varchar" />
AND
u_firstName LIKE <cfqueryparam value="#theFName#%" cfsqltype="cf_sql_varchar" />
)
<cfelse><!--- one word --->
(
u_lastName LIKE <cfqueryparam value="#trim(arguments.searchFldVal)#%" cfsqltype="cf_sql_varchar" />
OR
u_firstName LIKE <cfqueryparam value="#trim(arguments.searchFldVal)#%" cfsqltype="cf_sql_varchar" />
)
</cfif>
The solution above works so far but as you can see that involves using a server side language (that is ColdFusion in my case) to check/search input string for special characters. I'm wondering if there is better way to do this with just using SQL? I have read a few articles and some people proposed an option with full text search that I have never used before and I'm not sure if that would be a good fit in this case. The other option is to combine first and last name and then do the search. Something like this:
WHERE u_firstname +' '+ u_lastName LIKE '%#Arguments.searchVal#%'
OR u_firstname +', '+u_lastName LIKE '%#Arguments.searchVal#%'
If anyone has any experience with this type of search algorithm/technique please let me know. I have a few places in my system where I need to implement this and I'm looking for a reliable solution.
Here is my code:
<cfdump var="#addEnt#" >
<!-- ADD -->
<cfquery name="add" datasource="testdatasource" dbtype="OLEDB">
UPDATE tblrequests
SET
lastname='#ucase(form.lastname)#',
firstname='#ucase(form.firstname)#',
middlei='#ucase(form.middlei)#',
title='#form.title#',
eod='#dateformat(form.eod,'m-d-yyyy')#',
dutystation='#form.dutystation#',
requestsnetwork=<cfif parameterexists(form.requestsnetwork)>1<cfelse>0</cfif>,
affiliation='#form.affiliation#',
commentssupvreq='#form.commentssupvreq#',
requestdelete=<cfif form.requestdelete IS NOT ''>'#dateformat(form.requestdelete,'m-d-yyyy')#',<cfelse>Null,</cfif>
commentssupvdelete='#form.commentssupvdelete#',
commentssupvedit='#form.commentssupvedit#',
dateemailrequested=<cfif form.dateemailrequested IS NOT ''>'#dateformat(form.dateemailrequested,'m-d-yyyy')#',<cfelse>Null,</cfif>
commentsit='#form.commentsit#',
bgcomplete=<cfif form.bgcomplete IS NOT ''>'#dateformat(form.bgcomplete,'m-d-yyyy')#',<cfelse>Null,</cfif>
dategroupscreated=<cfif form.dategroupscreated IS NOT ''>'#dateformat(form.dategroupscreated,'m-d-yyyy')#',<cfelse>Null,</cfif>
WHERE recnumber = #addEnt#
</cfquery>
When I submit the form I get an error:
Error Executing Database Query. [Macromedia][SQLServer JDBC
Driver][SQLServer]Incorrect syntax near the keyword 'WHERE'.
My cfdump displays the correct addent number from sql, but using #addEnt# in the sql statement is not working. Other pages in my applications ## for SQL queries and they work fine.
The last line in your set statements has a comma at the end, which is where the SQL will be complaining
(Too long for comments)
As suggested in the comments, there are several improvements you could make to the query: one of the biggest, being the addition of cfqueryparam. It provides several advantages, such as:
CFQueryparam, or bind variables, help improve performance by encouraging databases to reuse query execution plans, rather than generating a new one each time (which is a costly operation).
Bind variables also prevent the execution of client supplied values as SQL commands, which has the happy side effect of preventing common forms of sql injection.
CF's implementation of bind variables also provides an extra layer of validation, by type checking input values, before the query is ever executed. So when invalid parameters are detected, it saves a wasted trip to the database.
A few other tips for improving the query
Although it makes no syntactical difference, consider placing commas at the beginning of each line, rather than at the end. This makes it easier to spot extra or missing commas:
UPDATE SomeTable
SET ColumnA = 'xxxx'
, ColumnB = 'yyyy'
, ColumnC = 'zzzzz'
, ColumnD = 'xxxx'
, ColumnE = 'yyyy'
WHERE ....
It looks like your query is populating several datetime columns. When working with datetime columns, it best to use date objects, not strings. Date strings are ambiguous, and can be interpreted differently than you might expect, depending on the database or settings. To insert a date only, use <cfqueryparam cfsqltype="cf_sql_date" ...>, for both date and time use <cfqueryparam cfsqltype="cf_sql_timestamp" ...>. Obviously, always validate the date strings first.
Consider using cfqueryparam's null attribute. It can be quite handy when inserting null values conditionally. (See example below)
As an aside, ParameterExists was deprecated a while ago and replaced with IsDefined, or preferably StructKeyExists. In this case, another alternative to a CFIF is to declare a default with cfparam, so the form field in question always exists.
Putting it all together, your final query might look something like this. I guessed about the column data types, so adjust as needed.
UPDATE tblrequests
SET lastname = <cfqueryparam value="#ucase(form.lastname)#" cfsqltype="cf_sql_varchar">
, firstname = <cfqueryparam value="#ucase(form.firstname)#" cfsqltype="cf_sql_varchar">
, middlei = <cfqueryparam value="#ucase(form.middlei)#" cfsqltype="cf_sql_varchar">
, title = <cfqueryparam value="#form.title#" cfsqltype="cf_sql_varchar">
, eod = <cfqueryparam value="#form.eod#" cfsqltype="cf_sql_date">
, dutystation = <cfqueryparam value="#form.dutyStation#" cfsqltype="cf_sql_varchar">
, requestsnetwork = <cfqueryparam value="#form.requestsNetwork#" cfsqltype="cf_sql_bit">
, affiliation = <cfqueryparam value="#form.affiliation#" cfsqltype="cf_sql_varchar">
, commentssupvreq = <cfqueryparam value="#form.commentsSupvReq#" cfsqltype="cf_sql_varchar">
, requestdelete = <cfqueryparam value="#form.requestDelete#" cfsqltype="cf_sql_date" null="#not isDate(form.requestDelete)#">
, commentssupvdelete = <cfqueryparam value="#form.commentssupvdelete#" cfsqltype="cf_sql_varchar">
, commentssupvedit = <cfqueryparam value="#form.commentssupvedit#" cfsqltype="cf_sql_varchar">
, dateemailrequested = <cfqueryparam value="#form.dateEmailRequested#" cfsqltype="cf_sql_date" null="#not isDate(form.dateEmailRequested)#">
, commentsit = <cfqueryparam value="#form.commentsit#" cfsqltype="cf_sql_varchar">
, bgcomplete = <cfqueryparam value="#form.bgComplete#" cfsqltype="cf_sql_date" null="#not isDate(form.bgComplete)#">
, dategroupscreated = <cfqueryparam value="#form.dateGroupsCreated#" cfsqltype="cf_sql_date" null="#not isDate(form.dateGroupsCreated)#">
WHERE recnumber = <cfqueryparam value="#addEnt#" cfsqltype="cf_sql_integer">
Since cfqueryparam doesn't work in an order by, would using xmlformat stop sql injections?
ORDER BY #xmlformat(myVariable)#
Thanks,
http://www.petefreitag.com/item/677.cfm
A good way to get around this limitation is to use the ListFindNoCase function, to limit the sortable column names, for example:
<cfset sortable_column_list = "age,height,weight,first_name">
<cfquery ...>
SELECT first_name, age, height, weight
FROM people
ORDER BY <cfif ListFindNoCase(sortable_column_list, url.sort_column)>#url.sort_column#<cfelse>first_name</cfif>
</cfquery>
This is from a stored procedure, but translate an #ORDER_BY value to an actual database column and a #SORT_ORDER value to a SQL command.
ORDER BY
CASE WHEN #ORDER_BY = 'LENDER' AND #SORT_ORDER = 'D' THEN l.tms_name END DESC,
CASE WHEN #ORDER_BY = 'LENDER' AND #SORT_ORDER != 'D' THEN l.tms_name END,
CASE WHEN #ORDER_BY = 'LOAN_NUMBER' AND #SORT_ORDER = 'D' THEN p.Loan_Number END DESC,
CASE WHEN #ORDER_BY = 'LOAN_NUMBER' AND #SORT_ORDER != 'D' THEN p.Loan_Number END,
XML Format won't handle all cases.
The column check is good, but I'm guessing that the advantage of letting the user define what the order by is, is because you can make it more complex than just a single column. For instance, you could add several columns and an Ascending, Descending etc...
I'd suggest you make a globally available function that strips out any character that isn't a number, letter or comma. If someone did attempt to do a SQL Injection it would just fail.
<cfif refindnocas('^\w+ ?(desc|asc)?$', myVariable)>
ORDER BY #myVariable#
</cfif>
or
<cfset columnList = 'col1,col2,etc' /> <!--- might want to use in select as well --->
<cfset regexColList = replace(columnList, ',', '|', 'all') />
<cfif not refindnocas('^(#regexColList#) ?(desc|asc)?$', myVariable)>
<cfset myVariable = "DefaultSort" />
</cfif>
ORDER BY #myVariable#
or
ORDER BY #query_sort(myVariable, columnList, defaultSort)#
...
<cffunction name="query_sort">
<cfargument name="sort" />
<cfargument name="columns" />
<cfargument name"default" />
<cfset var regexcolumns = replace(columns, ',', '|', 'all') />
<cfif refindnocas('^(#regexcolumns#) ?(desc|asc)?$', sort)>
<cfreturn sort />
<cfelse>
<cfreturn default />
</cfif>
</cfargument>
etc
Another option is a slight twist on the ListFindNoCase approach. Column information can be stored in a structure. The key would be the publicly visible column name and the value is the real column name. It is a little more complex. But I like the fact that it does not require you to expose your schema. It also supports more compound statements as Dave mentioned.
<cfset sortCols = { defaultCol="DepartmentName"
, date="ReportDate"
, type="DepartmentName"
, num="EmployeeID" } />
....
SELECT Columns
FROM TableName
ORDER BY
<cfif structKeyExists(sortCols, url.sort_column)>
#sortCols[url.sort_column]#
<cfelse>
#sortCols["defaultCol"]#
</cfif>
I want to ask how to update data in all row at the same time. This is my SQL:
<cfloop index="#form.ppp_id#">
<cfquery name="viewPoint" datasource="#application.DataSource#">
update PCRS_PHOTOPOINT set PPP_POINT_FROM = #form.point_from#,
PPP_POINT_UNTIL = #form.point_until#,
PPP_UPDATE_DATE = SYSDATE, PPP_ICONS_NAME = '#form.icons_name#'
where PPP_ID = #form.ppp_id#
</cfquery>
</cfloop>
I got this error:
Attribute validation error for tag 'CFLOOP'
There's no need to use a loop at all. You can use SQL's in operator instead of = to update a list of values all at once, instead of executing a SQL statement in a loop. Also, as someone else already mentioned, you'd better be using cfqueryparam instead of passing user-supplied strings straight to the DB.
<cfquery name="viewPoint" datasource="#application.DataSource#">
update PCRS_PHOTOPOINT set
PPP_POINT_FROM = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.point_from#">,
PPP_POINT_UNTIL = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.point_until#">,
PPP_UPDATE_DATE = SYSDATE,
PPP_ICONS_NAME = <cfqueryparam cfsqltype="cf_sql_varchar" value="#form.icons_name#">
where PPP_ID in (<cfqueryparam list="yes" cfsqltype="cf_sql_integer" value="#form.ppp_id#">)
</cfquery>
You should be doing it like this:
<cfloop list="#form.ppp_id#" index="iItems">
<cfquery name="viewPoint" datasource="#application.DataSource#">
update PCRS_PHOTOPOINT set PPP_POINT_FROM = "#form.point_from#",
PPP_POINT_UNTIL = "#form.point_until#",
PPP_UPDATE_DATE = SYSDATE, PPP_ICONS_NAME = "#form.icons_name#"
where PPP_ID = #iItems#
</cfquery>
</cfloop>
Let me know how it goes.