Running a cfquery in a cfc and passing parameters through AJAX

I am currently setting up a system to retrieve data from my ColdFusion database using JavaScript. However, I am encountering an error and unsure of its cause since I am relatively new to CF. The specific engine I am utilizing is ColdFusion MX 7.

Below is the content of the CFC file named cfquery.cfc:

<cfcomponent output="no">
    <cffunction name="phonebookQuery" access="remote" returnType="struct">
        <cfargument name="select" type="string" required="yes">
        <cfargument name="from" type="string" required="yes">
        <cfargument name="where" type="string" required="yes">
        <cfargument name="orderBy" type="string" required="yes">

        <cfquery name="query" datasource="phonebook">
            SELECT #select#
            FROM #from#
            WHERE #where#
            ORDER BY #orderBy#
        </cfquery>
        <cfreturn query>
    </cffunction>
</cfcomponent>

It seems that I might not be returning values correctly as my code fails to execute beyond a certain point.

Presented below is the JS function responsible for making an AJAX call. Although I acknowledge that using async: false is not best practice, I am opting for temporary functionality until the main implementation stage where promises or callbacks will come into play.

function cfQuery(p){
  var result;
  var queryStr= "cfquery.cfc?method=phonebookQuery&" +
    "select="+p.select+"&"+
    "from="+p.from+"&"+
    "where="+p.where.replace("=","%3D")+"&"+
    "orderBy="+p.orderBy;
  $.get( queryStr, function(data){
    result=data;
  });
  return result;
}

The code snippet below showcases a specific function call example I am trying to rectify:

var query_result= cfQuery({
    select: "*",
    from: "shareloantypes",
    where: "share_loan='S'",
    orderBy: "share_loan_type"
});

A server error occurs whenever I run the above code. It indicates a syntax problem near the 'S' in the SQL statement:

Error Executing Database Query.

[Macromedia][SequeLink JDBC Driver][ODBC Socket][Microsoft][ODBC SQL Server Driver][SQL Server]

Line 1: Incorrect syntax near 'S'.

The error occurred in C:\Inetpub\wwwroot\xxxxxx\report\cfquery.cfc: line 12
10 :            FROM #from#
11 :            WHERE #where#
12 :            ORDER BY #orderBy#
13 :        </cfquery>
14 :        <cfreturn query>

SQL    SELECT * FROM shareloantypes WHERE share_loan=''S'' ORDER BY share_loan_type
DATASOURCE    phonebook
VENDORERRORCODE   170
SQLSTATE      42000

My issue lies with the transformation of 'S' into ''S''. How can this be resolved? When replacing where: "share_loan='S'" with where: "share_loan=S" within the function call, the generated SQL omits quotes entirely leading to an "invalid column name" error.

javascriptajaxcoldfusion

Answer №1

Here's a suggestion to improve your code:

<cfquery name="query" datasource="phonebook">
    SELECT '#select#'
    FROM '#from#'
    WHERE '#where#'
    ORDER BY '#orderBy#'
</cfquery>

Based on my findings, enclosing the variables in quotes instructs ColdFusion to handle those values like SQL statements. This approach prevents escaping of quotes and helps prevent SQL injection attacks.

In my experience, using this method also provides protection against SQL injection. While there are specific ColdFusion prepared statements available, this shortcut method effectively achieves the same goal of preventing injection. If someone can provide evidence or examples disproving this, please feel free to correct me.

Edit: Upon reviewing your code again, it may work as intended, but from personal practice, I usually pass variable values rather than constructing the entire query. An alternative approach could be:

<cfquery name="query" datasource="phonebook">
    SELECT *
    FROM mytable
    WHERE ID > '#minID#'
    ORDER BY ID DESC
</cfquery>

In this scenario, you're only passing the comparison value instead of building the complete WHERE clause.

Edit: After further consideration, I cannot confidently state that the previous code is immune to SQL injection vulnerabilities. To safely execute the second query mentioned (with a variable in the WHERE clause), use the following format:

<cfquery name="query" datasource="phonebook">
    SELECT *
    FROM mytable
    WHERE ID > <cfqueryparam value="#minID#" CFSQLType="CF_SQL_INTEGER">
    ORDER BY ID DESC
</cfquery>

To learn more about cfqueryparam, refer to:

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Unable to retrieve the most recent global variable value within the confirmation box

<script type="text/javascript"> var customDiv ="hello"; $(function () { var $form = $("#authNotificationForm"); var startItems = $form.serializeArray(); startItems = convertSerializedArrayToHash(startItems); $("#authNoti ...

javascriptjquerydialogmodal-dialogconfirmation

Ways to execute a script from termly on NextJS using JSX

I've been utilizing termly to assist in creating legal terms for a website I'm developing. They provided me with some HTML containing a script, but I am struggling to get it to execute on a page in JSX. I attempted to use both Script and dangerou ...

javascriptreactjsnext.jsjsx

Ways to resolve issues related to null type checking in TypeScript

I am encountering an issue with a property that can be null in my code. Even though I check for the value not being null and being an array before adding a new value to it, the type checker still considers the value as potentially null. Can anyone shed lig ...

javascripttypescripttypesnull

Transmitting an Array Using an Ajax Call

Is there anyone knowledgeable in Ajax here? I'm struggling with sending a javascript array in an ajax request. Can someone provide me with an example of how the ajax request should be formatted? My goal is to gather all the javascript data, package it ...

javascriptajaxcoldfusion

The functionality of the Javascript window.print() method is limited to a single use

I've been working on an Angular project and I have the following code snippet implemented in one of the components. Everything works fine when I try to print for the first time using the onClickPrint() method, but it doesn't seem to trigger when ...

javascriptangular

Fetching post value via AJAX in Codeigniter views: A step-by-step guide

Having issues receiving Ajax response as it is coming back null. The HTML layout includes: <form method="post" action="<?php $_SERVER['PHP_SELF'] ?>"> <select class="form-control" class="form-control" id="choose_country"& ...

javascriptajaxcodeigniter

Custom properties of an object are being erased when converting to JSON format within the canvas

I am working on a canvas project that involves multiple image objects, each with custom attributes. My goal is to save this canvas as a json object in a database, but the conversion process seems to strip away the custom attributes. Currently, I am using t ...

javascriptjsoncanvashtml5-canvasfabricjs

In what way does the map assign the new value in this scenario?

I have an array named this.list and the goal is to iterate over its items and assign new values to them: this.list = this.list.map(item => { if (item.id === target.id) { item.dataX = parseFloat(target.getAttribute('data-x')) item.da ...

javascript

Strange Actions with JQuery Drag-and-Drop Functionality

Apologies for my limited experience with JQuery UI, but I am in the process of creating a web-based chess engine for 2 players using JavaScript. Instead of point and click, I have decided to implement a user-friendly drag and drop feature for non-mobile us ...

javascriptjqueryjquery-uijquery-ui-draggablejquery-ui-droppable

Using jQuery to validate the existence of a link

Within my pagination div, I have links to the previous page and next page. The link to the previous page is structured as follows: <span id="previous"><a href="www.site.com/page/1" >Previous</a>. However, on the first page, there will be ...

javascriptjqueryhtmlcss

What is causing my vue.js table to not display properly?

Struggling to render a table using vue.js? You're not alone. Many developers face challenges when trying to use v-for to iterate through data and display it in a table format. It can be frustrating when everything seems fine in the console, but the ta ...

javascriptvue.js

Which is better for scrolling in Angular 2+: using HostListener or window.pageYOffset?

Which syntax is best for maximizing performance in Angular 2+? Is it necessary to use HostListener, or is it simpler to obtain the scroll position using the onscroll window event and pageYOffset? @HostListener('window:scroll', ['$event&ap ...

javascriptangular

When trying to assign the result of res.send() to another variable in NodeJS Express, it does

My current Express version is 3.4.4 and I encountered an issue when trying to implement the following code: var cb = res.send; cb(result); This resulted in an error message: ...\node_modules\express\lib\response.js:84 var HEAD ...

javascriptnode.jsexpress

Struggling with implementing a login authentication system with AJAX technology

I've been struggling to develop an AJAX script that communicates with a PHP script to verify the username and password entered. The PHP script returns "true" if the details are correct and "false" otherwise. In my AJAX script, I have implemented an i ...

phpajax

What is the best way to create a time delay between two consecutive desktop screenshot captures?

screenshot-desktop is a unique npm API that captures desktop screenshots and saves them upon request. However, I encounter the need to call the function three times with a 5-second delay between each call. Since this API works on promises, the calls are e ...

javascriptnode.jsnpm

Saving URLSearchParams to a file using javascript

I am currently implementing jstree and I need to be able to click on a file within the tree structure in order to display a PDF file. Below is the relevant code snippet: $(function () { $('#tree').jstree({ 'core' : { ...

javascript

Leverage the power of jQuery and AJAX in conjunction with the Laravel framework to showcase and

I am currently working on a page that showcases various products. Initially, I had set up a route as follows: Route::get('products/{category}/{subcategory}') In my controller, I was returning results from the database to display the items. Howe ...

jqueryajaxlaravel

Is there a way to effectively alter an object that has been assigned in a separate file?

Seeking Assistance: I am facing an issue in my current project where I need to store a javascript object in an external file and then export it using module.exports. The challenge now is that I want another file to be able to modify a specific value withi ...

javascriptnode.jsobjectdynamicnode-modules

Exploring innovative CSS/Javascript techniques for creating intricate drawings

When using browsers other than Internet Explorer, the <canvas> element allows for advanced drawing. However, in IE, drawing with <div> elements can be slow for anything more than basic tasks. Is there a way to do basic drawing in IE 5+ using o ...

javascriptcssinternet-explorerdrawing

If the number exceeds 1, then proceed with this action

I currently have a variable called countTicked, which holds an integer representing the number of relatedBoxes present on the page. I am in need of an if statement that will perform certain actions when the value stored in countTicked exceeds 1. if (!$(c ...

javascriptjqueryif-statement