magic_quotes_gpc setting for ColdFusion? ColdBox? - mysql

I am new to ColdFusion and want to remove single quotes from the values of my input fields. I tried to search on google and what I found is to use "magic_quotes_gpc" or "mysql_real_escape_string" but those functions do not exist in ColdFusion. Is there any way to handle this kind of mysql query injection in ColdFusion?
Updated:
Thank you for reply but please look at my code
<div class="form-group">
<label for="jobDesc">Job description</label>
<textarea name="description" class="form-control" rows="3" id="jobDesc">
<cfif isdefined('userTime')>#userTime.description#</cfif>
</textarea>
</div>
I just want to use single quotes in the text area and my form is submitting to event. The query is:
sqlstr = "";
sqlstr = "insert into usertime set
userid = '#arguments.userTimeParams.userid#',
projectid = '#arguments.userTimeParams.projectid#',
timesheetdate = '#arguments.userTimeParams.timesheetdate#',
estimatedtimespent = '#arguments.userTimeParams.jobhours * 60 + arguments.userTimeParams.jobMins#',
description = '#arguments.userTimeParams.description#',
timeentered = #arguments.userTimeParams.timeentered#;";
queryObj = new query();
queryObj.setDatasource("timesheet");
queryObj.setName("adduserTime");
result = queryObj.execute(sql=sqlstr);
adduserTime = result.getResult();
return result.getPrefix().generatedKey;
I have one option that I can add slashes to my string, but then I have to add slashes in all strings. So is there any function or way to do this with less lines of code?
Sorry for asking much with limited knowledge.

Um... just don't pass your user input (or any other data ~) values hard-coded in your SQL statements, pass them as parameter values instead.
Example:
coloursViaQueryExecute = queryExecute("
SELECT en AS english, mi AS maori
FROM colours
WHERE id BETWEEN :low AND :high
",
{low=URL.low, high=URL.high},
{datasource="scratch_mssql"}
);
Where low and high are your parameters.
See relevant docs # QueryExecute()
And further reading on the topic:
What one can and cannot do with <cfqueryparam>
Query.cfc / queryExecute() have a good feature <cfquery> lacks

Without parameterizing the user data, you are opening yourself to SQL injection. The REReplace() may not catch everything. Here is how you should rewrite that code to use cfqueryparam. You may need to tweak the addParam() method calls to add the correct cfsqltype.
sqlstr = "";
sqlstr = "insert into usertime set
userid = :userid,
projectid = :projectid,
timesheetdate = :timesheetdate,
estimatedtimespent = :estimatedtimespent,
description = :description,
timeentered = :timeentered";
queryObj = new query();
queryObj.setDatasource("timesheet");
queryObj.setName("adduserTime");
queryObj.addParam( name="userid", value=arguments.usertimeparams.userid);
queryObj.addParam( name="projectid", value=arguments.usertimeparams.projectid);
queryObj.addParam( name="timesheetdate", value=arguments.usertimeparams.timesheetdate, cfsqltype="CF_SQL_TIMESTAMP");
queryObj.addParam( name="estimatedtimspent", value=arguments.userTimeParams.jobhours * 60 + arguments.userTimeParams.jobMins, cfsqltype="CF_SQL_INTEGER");
queryObj.addParam( name="description", value=arguments.usertimeparams.description);
queryObj.addParam( name="timeentered", value=arguments.usertimeparams.timeentered, cfsqltype="CF_SQL_INTEGER");
result = queryObj.execute(sql=sqlstr);
adduserTime = result.getResult();
return result.getPrefix().generatedKey;

Related

How to solve sql error " product portfolio has diversified to encompass a highly successful multi-brand' at line 1"

I am kind of new one for mysql and php. a week ago this code worked perfectly and when now I am trying it shows this error message
Error : You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 's product portfolio has diversified to encompass a highly
successful multi-brand' at line 1
I search how to solve that after spending a whole day, but couldn't figure it out.
I have tried similar questions here in stackoverflow, Yet I am stucked here.
A help would be really admired
Given below is my code
<?php
if(isset($_POST['upload']))
{ $company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
$fileName = $_FILES['Filename']['name'];
$fileName1 = $_FILES['Filename1']['name'];
$fileName2 = $_FILES['Filename2']['name'];
$fileName3 = $_FILES['Filename3']['name'];
$fileName4 = $_FILES['Filename4']['name'];
$target = "company_images/";
$fileTarget = $target.$fileName;
$fileTarget1 = $target.$fileName1;
$fileTarget2 = $target.$fileName2;
$fileTarget3 = $target.$fileName3;
$fileTarget4 = $target.$fileName4;
$tempFileName = $_FILES["Filename"]["tmp_name"];
$tempFileName1 = $_FILES["Filename1"]["tmp_name"];
$tempFileName2 = $_FILES["Filename2"]["tmp_name"];
$tempFileName3 = $_FILES["Filename3"]["tmp_name"];
$tempFileName4 = $_FILES["Filename4"]["tmp_name"];
$result = move_uploaded_file($tempFileName,$fileTarget);
$result1 = move_uploaded_file($tempFileName1,$fileTarget1);
$result2 = move_uploaded_file($tempFileName2,$fileTarget2);
$result3 = move_uploaded_file($tempFileName3,$fileTarget3);
$result4 = move_uploaded_file($tempFileName4,$fileTarget4);
$file = rand(1000,100000)."-".$_FILES['file']['name'];
$file_loc = $_FILES['file']['tmp_name'];
$file_size = $_FILES['file']['size'];
$file_type = $_FILES['file']['type'];
$folder="pdf_uploads/";
// new file size in KB
$new_size = $file_size/1024;
// new file size in KB
// make file name in lower case
$new_file_name = strtolower($file);
// make file name in lower case
$final_file=str_replace(' ','-',$new_file_name);//anthima
if(move_uploaded_file($file_loc,$folder.$final_file))
{
$query = "INSERT INTO company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4) VALUES ('$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4')";
$con->query($query) or die("Error : ".mysqli_error($con));
mysqli_close($con);
}
}
?>
<?php
Given below is the test data error
VALUES ('singer','Hardware','singer#gmail.com','singer','Singer has been in Sr' at line 1
Because you never sanitize anything and put the data straight into your query,
$company_name =$_POST['company_name'];
$service =$_POST['service'];
$email =$_POST['email'];
$password =$_POST['password'];
$details =$_POST['details'];
...
$query = "INSERT INTO
company_details( company_name,service, email, password, details,image_path,file_name,image_path1,file_name1,image_path2,file_name2,image_path3,file_name3,file,type,size,image_path4,file_name4)
VALUES (
'$company_name','$service','$email','$password','$details','$fileTarget','$fileName','$fileTarget1','$fileName1','$fileTarget2','$fileName2','$fileTarget3','$fileName3','$final_file','$file_type','$new_size','$fileTarget4','$fileName4'
)";
your problem is most likely in the data
's product portfolio has diversified to encompass a highly successful multi-brand
Maybe you have unscaped apostrophes in your data, so you're kinda SQL-injecting yourself. The query ends before the string shown in the error.
The solution is to escape special chars before inserting like in this question: How do I escape only single quotes?
In your case, start with the details
$details = addcslashes($_POST['details'], "'");
or
$details = addslashes($_POST['details']);
But keep adding test scenarios for your code. E.g. what happens if company name gets something like Mc'Donaldson? What is the set of chars you want to accept for each field? Then you will know how to validate those fields and create your functions (or reuse something)

Update planned order - two committed modifications, only one saved

I need to update two information on one object: the quantity (PLAF-gsmng) and refresh the planned order via the module function 'MD_SET_ACTION_PLAF'.
I successfully find a way to update each data separately. But when I execute the both solutions the second modification is not saved on the database.
Do you know how I can change the quantity & set the action on PLAF (Planned order) table ?
Do you know other module function to update only the quantity ?
Maybe a parameter missing ?
It's like if the second object is locked (sm12 empty, no sy-subrc = locked) ... and the modification is not committed.
I tried to:
change the order of the algorithm (refresh and after, change PLAF)
add, remove, move the COMMIT WORK & COMMIT WORK AND WAIT
add DEQUEUE_ALL or DEQUEUE_EMPLAFE
This is the current code:
1) Read the data
lv_plannedorder = '00000000001'
"Read PLAF data
SELECT SINGLE * FROM PLAF INTO ls_plaf WHERE plnum = lv_plannedorder.
2) Update Quantity data
" Standard configuration for FM MD_PLANNED_ORDER_CHANGE
CLEAR ls_610.
ls_610-nodia = 'X'. " No dialog display
ls_610-bapco = space. " BAPI type. Do not use mode 2 -> Action PLAF-MDACC will be autmatically set up to APCH by the FM
ls_610-bapix = 'X'. " Run BAPI
ls_610-unlox = 'X'. " Update PLAF
" Customize values
MOVE p_gsmng TO ls_plaf-gsmng. " Change quantity value
MOVE sy-datlo TO ls_plaf-mdacd. " Change by/datetime, because ls_610-bapco <> 2.
MOVE sy-uzeit TO ls_plaf-mdact.
CALL FUNCTION 'MD_PLANNED_ORDER_CHANGE'
EXPORTING
ecm61o = ls_610
eplaf = ls_plaf
EXCEPTIONS
locked = 1
locking_error = 2
OTHERS = 3.
" Already committed on the module function
" sy-subrc = 0
If I go on the PLAF table, I can see that the quantity is edited. It's working :)
3) Refresh BOM & change Action (MDACC) and others fields
CLEAR ls_imdcd.
ls_imdcd-pafxl = 'X'.
CALL FUNCTION 'MD_SET_ACTION_PLAF'
EXPORTING
iplnum = lv_plannedorder
iaccto = 'BOME'
iaenkz = 'X'
imdcd = ls_imdcd
EXCEPTIONS
illegal_interface = 1
system_failure = 2
error_message = 3
OTHERS = 4.
IF sy-subrc = 0.
COMMIT WORK.
ENDIF.
If I go on the table, no modification (only the modif. of the part 2. can be found on it).
Any idea ?
Maybe because the ls_610-bapco = space ?
It should be possible to update planned order quantity with MD_SET_ACTION_PLAF too, at least SAP Help tells us so. Why don't you use it like that?
Its call for changing the quantity should possibly look like this:
DATA: lt_acct LIKE TABLE OF MDACCTO,
ls_acct LIKE LINE OF lt_acct.
ls_acct-accto = 'BOME'.
APPEND lt_acct.
ls_acct-accto = 'CPOD'.
APPEND lt_acct.
is_mdcd-GSMNG = 'value' "updated quantity value
CALL FUNCTION 'MD_SET_ACTION_PLAF'
EXPORTING
iplnum = iv_plnum
iaenkz = 'X'
IVBKZ = 'X'
imdcd = is_mdcd "filled with your BOME-related data + new quantity
TABLES
TMDACCTO = lt_accto
EXCEPTIONS
illegal_interface = 1
system_failure = 2
error_message = 3.
So there is no more need for separate call of MD_PLANNED_ORDER_CHANGE anymore and no more problems with update.
I used word possibly because I didn't find any example of this FM call in the Web (and SAP docu is quite ambiguous), so I propose this solution just as is, without verification.
P.S. Possible actions are listed in T46AS table, and possible impact of imdcd fields on order can be checked in MDAC transaction. It is somewhat GUI equivalent of this FM for single order.

Change the connectionString Arg by values data entry by the user in an input with Razor Web Page

First, I quite apologize to you for my poor English (cause I'm french).
My problem is that, I need to recover some data like server IP, user name and password witch was get back by the user in some input on submit and use these data for change the connectionString witch is in web.config. But I don't know how to do.
I hope to have been clear and thank you in advance for your help.
Well, after a lot of search and work, I have chose to change my connectionString like it:
#{
Layout = "~/_Layout.cshtml";
Page.Title = "Dossier Racine";
var srv = Request.QueryString["server"];
var usr = Request.QueryString["username"];
var pwd = Request.QueryString["password"];
var db = Database.OpenConnectionString("server="+srv+";database=ReportServer;uid="+usr+";pwd="+pwd+"","System.Data.SqlClient");
var sqlFile = " SELECT *"
+ " FROM Catalog";
var selectedData = db.Query(sqlFile);
}

Is it possible to have a textbox in which they input information to be searched in the column that they can also choose by use of a drop down menu?

For example, user wants to search the movie database, by director's last name, so the user will type in Smith and then in the drop down menu will choose Director's Last Name. I just need to know how to get the post variables into the SELECT --> WHERE function
$columnsch = $_POST["columnsearch"];
$contentsch = $_POST["contentsearch"];
$result = mysql_query("SELECT * FROM movies WHERE $columnsch ='$contentsch'");
if (!$result) {
die ("Database Query Failed: ".mysql_error());
I know the above code is incorrect but it gives the general idea of what I want to achieve.
Zdravko, Im really new to this, Im not sure where your lines of code for example the sql would fit in with what I have.
you can do 2 things: first is to generate the sql based on the search criteria:
sql = sql + 'WHERE ' + SearchField + ' = "'+ SearchValue + '";'
the other is to write sql like this:
WHERE (#SearchField = 'Director' and Ditector = #SearchValue)
OR (#SerarchField = 'Star' and Star = #SearchValue)
....

Problem updating values in combobox in vb.net

I have this code, but I have a problem.
When I update but do not really made any changes to the value and press the update button, the data becomes null. And it will seem that I deleted the value.
I've taught of a solution, that is to add both combobox1.selectedtext and combobox1.selecteditem to the function. But it doesn't work.
combobox1.selecteditem is working when you try to alter the values when you update. But will save a null value when you don't alter the values using the combobox
combobox1.selectedtext will save the data into the database even without altering.
But will not save the data if you try to alter it.
-And I incorporated both of them, but still only one is performing, and I think it is the one that I added first:
Dim shikai As New Updater
Try
shikai.id = TextBox1.Text
shikai.fname = TextBox2.Text
shikai.mi = TextBox3.Text
shikai.lname = TextBox4.Text
shikai.ad = TextBox5.Text
shikai.contact = TextBox9.Text
shikai.year = ComboBox1.SelectedText
shikai.section = ComboBox2.SelectedText
shikai.gender = ComboBox3.SelectedText
shikai.religion = ComboBox4.SelectedText
shikai.year = ComboBox1.SelectedItem
shikai.section = ComboBox2.SelectedItem
shikai.gender = ComboBox3.SelectedItem
shikai.religion = ComboBox4.SelectedItem
shikai.bday = TextBox6.Text
shikai.updates()
MsgBox("Successfully updated!")
Please help, what would be a simple workaround to solve this problem?
a few things to remember ---
a 'selected____' anything is only non-null when something is, uhm, SELECTED. To ensure that SOMETHING is selected even at start add a line like: ComboBox1.SelectedIndex = 0.
If your recordset has non-string types (like a DATE field might be) then be sure to first check then coerce the string coming back as TEXT to the correct type. I.e....
if isDate(ComboBox1.SelectedText) then ... 'its ok to use this coerced text.
Since a combobox (as well as a listbox) can hold an entire CLASS (i.e. any kind of OBJECT) ... any SelectedItem assignment had better match EXACTLY to the type that was .Items.Add 'ed originally to the control.