0

I been helping a friend out with a website he has been working on. He was task with maintenance of a ColdFusion website. He is mainly a web design person and my background is asp.net.

The problem I am having is they want to be able to add a product to the cart. To quickly accomplish this I was going to use the existing "add to basket" action. The problem lies in when the site normally uses a hidden field named productId, but the quick entry uses a ModelID.

My plan was to fetch the productID from the SQL back end, but every time I try it throws a SQL error. The weird thing is that regardless of the model number entered, the error message shows a different number. Here is the code

Quick Entry HTML:

<form action="index.cfm?do=action" method="POST" NAME="quick">   
  <b>Model Number:</b>
  <input type="Text" name="QuickEntryModelNumber" value="" size="8">&nbsp;&nbsp;&nbsp;
  <b>Quantity:</b>
  <input type="Text" name="Quantity" value="" size="2" maxlength="3"><br>
  <input type="hidden" name="wasWholesaler" value="#session.wholesaler#">
  <p align="right"><input type="Submit" name="action" value="Add to basket"></p>
</form>

Add To Basket action:

<cfif structkeyexists(form,'ProductID')>
  <cfparam name="inProductID" type="integer" default = 0>
  <cfset inProductID = #form.ProductID#>
<cfelse>
  <cfparam name="inProductID" type="integer" default = 0>
  <cfquery name="GetID" datasource="#attributes.dsn#">
  SELECT P.ProductID
  FROM Products P
  WHERE P.ModelNumber = #form.QuickEntryModelNumber#
  </cfquery> 

  <cfoutput query="GetID">
    <cfset inProductID = #P.ProductID#>
  </cfoutput>
</cfif>

Basically I was checking to see if ProductID exists in the form data. If not fetch ProductId from the DB. The error it throws is:

[Macromedia][SQLServer JDBC Driver][SQLServer]Conversion failed when converting the varchar value '088254PC' to data type int.

No matter what you enter for the model ID, the varchar value is always '088254PC'. When I take the SQL query out and set the productId to a static value it functions properly.

I guess this would be a good time to point out that this page is a mess. It has been touched by over 20 different people at different times. It needs to be thrown out and started from scratch. And I have no DB layout. Sigh. Any help you guys can throw my way will be greatly appreciated. ColdFusion is not my thing.

4

1 回答 1

5

您需要将字符串括在引号中并更好地使用cfqueryparam,ColdFusion 将为您处理引号(并帮助防止 SQL 注入)

<cfparam name="inProductID" type="integer" default = 0>
<cfquery name="GetID" datasource="#attributes.dsn#">
SELECT P.ProductID
FROM Products P
WHERE P.ModelNumber = <cfqueryparam cf_sql_type="cf_sql_varchar" value="#form.QuickEntryModelNumber#">
</cfquery>

可能将一个整数传递到您的查询中,但088254PC数据库中已经有一个 varchar 值,这就是为什么您每次都会看到相同的错误。

于 2013-05-04T02:34:33.443 回答