Coldfusion case generating an error - mysql

I am trying to troubleshoot a problem with our Coldfusion application.
The problem is this line I think-:
<cfset discountAmountClause =
"CASE WHEN discountAmount_rateType = 0 THEN #oldPrice# * discountAmount_discount / 100
ELSE discountAmount_discount END">
The error message from the application is You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '* discountAmount_discount / 100 ELSE discountAmount_discount END
I'm not sure whether there is an issue with the code or something more serious so if anyone with more experience than me can shed some light I would be really grateful...

Your oldPrice variable has Null or blank value and that is causing your sql to misfire.
You can adjust it conditionally:
<cfif oldPrice EQ "">
<cfset oldPrice = 0>
</cfif>
<cfset discountAmountClause = "CASE WHEN discountAmount_rateType = 0
THEN #oldPrice# * discountAmount_discount / 100
ELSE discountAmount_discount
END">

So after further investigation and thanks to the help of the comments left in this thread I managed to track down the error to the #oldprice# variable.
One of our pages that called the #oldprice# variable shouldn't have been active because the #oldprice# just didn't exist for that page. A link to this page was included on a number of other pages along with the #oldprice# variable which then caused a bunch of pages to 404 error.
Once I removed the problem page the other pages worked fine and the error stopped being generated.
It was a little harder to track this down as this page was one of 1679! However with the assistance given here I managed to get there in the end.
Thanks!

Related

MySQL - Where is the Error in this Query? (Error 1064)

I'm trying to execute the query below but WorkBench keeps complaining about a syntax error (Error 1064). I don't know what the error is because even WorkBench highlights each bracket pair and so I can't say there is a missing bracket. Please help.
SELECT
If(Right(Trim(`tbloldfurniture`.`NotesOnOldness`), 4) = 'susp', Substring(Trim(`tbloldfurniture`.`NotesOnOldness`), 1, Char_Length(Trim(Lower(`tbloldfurniture`.`NotesOnOldness`)) - 1)) ,Substring(Trim(Lower(`tbloldfurniture`.`NotesOnOldness`))))
FROM `tbloldfurniture`;
This is the same query broken into its separate parts to aid readability.
SELECT
If(
Right(Trim(`tbloldfurniture`.`NotesOnOldness`), 4) = 'susp',
Substring(Trim(`tbloldfurniture`.`NotesOnOldness`), 1, Char_Length(Trim(Lower(`tbloldfurniture`.`NotesOnOldness`)) - 1)) ,
Substring(Trim(Lower(`tbloldfurniture`.`NotesOnOldness`)))
)
FROM `tbloldfurniture`;
MySQL's substring() function expects at least two parameters and you're feeding it just one in Substring(Trim(Lower(tbloldfurniture.NotesOnOldness))).
Also, you're probably doing something wrong, as you're deducting 1 from a string in Char_Length(Trim(Lower(tbloldfurniture.NotesOnOldness)) - 1).
And yeah, SQL is notoriously terrible with its error messages. Confusing as heck.
The 1064 error is a syntax error. This means the reason there’s a problem is because MySQL doesn’t understand what you’re asking it to do. Cant see an issue with what you have put tho. If your query attempts to reference information in a database and can’t find it, that could be the issue ?

SQL Injection on update query

So I have a server set up to serve payment requests. A user enters their credit card details in a form.
Query to inject here:
$sql = "UPDATE users SET credit_card'".$credit_card."', cvv='".$cvv."', expdate='".$exp."' WHERE userid='".$_SESSION['userid']."'";
I am trying to change another users password from this query.
Where the $credit_card is posted from a form. Im trying to inject the $credit_card part by writing my own query and getting rid of the rest by adding ;-- to the end.
The statement I am using for $credit_card is :
', password='test' where userid='10';--
Now, I am positive this was working yesterday but now the following error appears and I cannot wrap my head around it. Any help please?
Query failed: UPDATE users SET credit_card'', password='test' WHERE userid='20';--, cvv='', expdate='' WHERE userid='20'
Not all database functions accept multiple statements so the ; delimiter may be considered unexpected input.
The syntax for single-line comments in MySQL is -- Foo (please note the white space after the double-dash).
If the server code is yours, you can just print the actually error message generated by the server (and not some generic "something went wrong" text). If it isn't, just copy and paste the SQL code from the error message into your favourite MySQL client.

IF condition MySQL not working

I am trying to execute a query into MySQL but it keeps telling me i am using the wrong syntax, I tried searching the MySQL community but I am not getting anything usefull.. most of the answers i find on google are for other databases yet they label them for "MySQL", yet it keeps failing.
This is the statement i am trying to execute:
$statement = "IF (SELECT ttb_id FROM timetable WHERE ttb_week = $i AND ttb_time = $j) THEN
BEGIN
UPDATE types SET typ_name = '$subj'
WHERE typ_name = 'student';
END;
ELSE
BEGIN
INSERT INTO types VALUES (null,`Yo`);
END;
";
error:
ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'IF (SELECT ttb_id FROM timetable WHERE ttb_week = 0 AND ttb_time = 0) THEN ' at line 1
I am using:
PHP Script Language Version 5.2.6
MySQL Database Version 5.0.51b
I have been looking around but to no avail, and the if condition stated on the MySQL dev website are not helping at all..
I am new to this and it is driving me mad! all the different queries i tried failed.. it is never the right syntax.
I found many answers for the problem on stackExchange and other websites but it is always wrong.. also I remember this structure from a VB.net lesson a while ago so maybe this is for MSSQL? then what about MySQL? everyone so far listed similar structure and said it works for MySQL, I took my answer from an answer on this community* labeled for MySQL and he claimed it worked. this is one of many i tried.
I would really appreciate your help
*: Usage of MySQL's "IF EXISTS"
My first thought would be you're not comparing your SELECT return to anything to actually utilize your conditional logic. Are you just looking to see if your query returns values? If it doesn't return a value then you insert a new record in otherwise you update.
Maybe use IS NOT NULL or a check to see count on the select to see how many rows and compare to see if that's greater than 0.
IF (SELECT ttb_id FROM timetable WHERE ttb_week = $i AND ttb_time = $j IS NOT NULL) THEN
IF (SELECT COUNT(*) FROM timetable WHERE ttb_week = $i AND ttb_time = $j) > 0 THEN

MYSQL modify record if blank

I've tried searching for my answer but likely don't know the correct phrase(s) to ask. Basically my database has situations where we don't leave the data blank for whatever reason (not my call). For example, we have a url column that is by default "http://" instead of just leaving it blank.
It makes auditing data without exporting and filtering a hassle when you have text that looks like something is there but really isn't. This is just one of a few cases. Is there any way in MYSQL to do an IF statement that will search for the string you know exists and switch it with "" BUT will not replace the values that aren't the string you are replacing?
I've seen IF ELSE statements but my issue with that is that the the other data is being modified which is not ideal since their url is very specific so an else is not ideal.
For example, I had the normal code with this result: Example Image
But this is what happens when I try the IF statement (notice that the "http://" is gone, as I wanted, BUT the other organization URL's have been switched to whatever I put after the last comma): Example Image
I tried the alternative of not including an ELSE hoping that would help but I resulted in the following error:
CODE: IF (o.url = "http://","") as "Web Site"
ERROR: MySQL Error 1064:: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') as "Web Site" FROM organization o LEFT JOIN seed_organization_status ' at line 6 :: SQL:/ DirectQuery ID: 31 User ID: 64432 / SELECT o.organization_id as "track code|link:organization", o.incorporation_dt as "Inc. Date|format:date", os.name as "Company Size", sos.name as "start-up", IF (o.url = "http://","") as "Web Site" FROM organization o LEFT JOIN seed_organization_status sos ON o.seed_organization_status_id=sos.id LEFT JOIN organization_size os ON o.organization_size_id=os.organization_size_id WHERE sos.name = "Start-Up" ORDER BY o.name
Any help would be greatly appreciated. Thank you!

Coldfusion 8 Multi Thread Concurrency

I had a problem with Coldfusion 8 that I posted on Stack Overflow not too long ago Coldfusion 8 doing both CFIf and the CFElse statement
that I thought I had narrowed down to a mysql problem, but with (much) further investigation, I have narrowed it down to a Multi threading / Multiple requests per session issue. (That may still be a MYSQL problem, but I have no idea how to fix it)
What is really going wrong with the code :
<cfif isValid("email", form.email)>
<cfquery name="check_user" datasource="#request.dsn#">
SELECT var_username, var_password
FROM tbl_users
WHERE var_username = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#FORM.EMAIL#">
AND var_password = <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#FORM.PASSWORD#">
</cfquery>
<cfif check_user.recordcount EQ 0>
<cfquery datasource="#request.dsn#" name="insertuser">
INSERT INTO tbl_users (var_username, var_password) VALUES
(<cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#FORM.EMAIL#">, <cfqueryparam cfsqltype="CF_SQL_VARCHAR" value="#FORM.PASSWORD#">)
</cfquery>
<cflogin idletimeout="1800">
<cfloginuser
name = "#FORM.email#"
password ="#FORM.password#"
roles = "0">
</cflogin>
<cflocation addtoken="No" url="#request.secure_url#checkout.cfm">
<cfelse>
<cfset client.error_message = "Your Email Address is already registered.">
<cflocation addtoken="No" url="#request.site_url#New-Account.html">
</cfif>
<cfelse>
<cfset client.error_message = "Your Email Address is not Valid.">
<cflocation addtoken="No" url="#request.site_url#New-Account.html">
</cfif>
is that there are 2 concurrent requests being made by the same user. If the requests are slightly staggered, Request A will insert the user into the database, but before Request A can CFLOGIN and CFLOCATION, Request B gets to the CFIF Notices that there is already a user in the database, and creats the CLIENT.ERROR_MESSAGE and CFLOCATION's to New-Account.html .
However, if the requests are not staggered, what happens is that the code appears to work, and sends the user to the checkout.cfm page, however in the database, the user is inserted twice.
The steps I have taken to try and resolve this:
1: Using different Databases within the same MYSQL Server (by changing the datasource to one of our other sites that have a similar/identical tbl_users). Same results.
2: Putting the website on a different coldfusion 8/windows 2003 server (but used the same MYSQL Server). Same results.
3: Put a
<cflock name="NewUser" timeout="30" type="EXCLUSIVE">
at the beginning of the code and a
</cflock>
at the end of the code. Same Results.
I really thought that putting a CFLOCK on the code would fix the issue, but it didn't, and now I have no idea what to do next (but it could be because I have never used CFLOCK before, and am using it wrong). Does anyone have any Ideas how to fix this issue so that only one request is sent? Or any ideas why 2 requests are being sent? (I don't think its pebkac, because I am the one doing the testing, and I am not hitting the submit button twice)
Also, I am using a windows 2003 web server, with coldfusion 8. And a seperate windows 2003 server with MYSQL 5.
Sorry my rank isn't high enough to just post a comment below your question...
I'm wondering why you are getting two or more concurrent requests for a user for that section of code. Are you accessing other CFM files using AJAX or the ColdFusion AJAX functions?
I think that your solution will be to track down why one user will hit that section of code multiple times.
You could use <cflog> to track how this section of code is called.
You're building a concurrent application. Be happy you found this problem so early in your development cycle. Concurrent applications work best when they use DBMS constraints to manage their concurrency rather than the kind of code you've shown in your example.
I suggest you switch to InnoDB if you aren't using it already, then set up your tbl_users.var_username column as a primary key with a unique constraint in the database.
Then, don't SELECT from your table. Just do the INSERT. You'll get an exception from the <cfquery> insert operation if the username is already there. Handle it appropriately. If the INSERT works correctly, you just added a new user and all is well. If it fails, you tried to add a duplicate user, and you can present an appropriate response on your web user interface.