11 Replies - 5349 Views - Last Post: 29 June 2012 - 12:30 AM Rate Topic: -----

#1 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

linkage ofcgi.script_name to index.cfm

Posted 26 June 2012 - 05:40 AM

I am a beginner and I am trying to use cgI.script_name as form action attribute during validation,how can I LINK it to my Index page in such a way that when a user clicks submit, he will be directed to my index page?please i need helping responses
Is This A Good Question/Topic? 0
  • +

Replies To: linkage ofcgi.script_name to index.cfm

#2 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1926
  • View blog
  • Posts: 3,471
  • Joined: 13-January 08

Re: linkage ofcgi.script_name to index.cfm

Posted 26 June 2012 - 06:11 AM

Welcome to DIC tundefajem!

Let's break down your question into parts and see if we can get you where you want to be.

Quote

I am trying to use cgI.script_name as form action attribute


Okay, that would look something like this:
<form name="yourFormName" method="post" action="<cfoutput>#cgi.script_name#<cfoutput>">


Now, understand that cgi.script_name typically gives you the page name of the page you're already on. So, in the above code example, what you'd be doing is submitting to the same page as the form. If that's what you're wanting to do, you can do that without using any cgi variables at all...just omit the action attribute from the form tag and it will submit to itself.

Quote

how can I LINK it to my Index page in such a way that when a user clicks submit, he will be directed to my index page?


Well, if the above situation (the form page submitting to itself) is what you're wanting to do then, programatically, you need to detect whether your receiving page has a form submission coming to it and if so redirect them to your index page. There are several ways to do this but the way I prefer is this:
<cfif IsDefined("Form.FieldNames")>


Each time a form post submission is made, the receiving page will always have a form variable called FieldNames. That is a comma delimited list of all the names of the form fields available to the page. The existence of that variable tells you that a form has been submitted to that page. Now, it can get a lot more specific than that (you can have several different form pages submitting to the same process page, for instance) so instead of FieldNames you can check to see if a specific form variable exists from your validation form. In any event, once you've determined that there has been a form submission and it's the form you'd want to result in a send to your index page, you have a couple of additional options to choose from.

You can outright send the user to your index page (which I'll call index.cfm by way of example) with the CFLOCATION tag:

<cfif IsDefined("Form.FieldNames")>
   <cflocation url="index.cfm" addtoken="yes">
</cfif>


Now, what that will do is to immediately send the user to your index page. However, they'll arrive there without the form data they submitted. If this is for a login process you need to either process the login prior to redirecting them to index.cfm or you can get creative and make sure the form data is available on index.cfm when they arrive and process it there. Since you're a beginner I suggest the former option (process the form/login first) and, if successful, send them to index.cfm.

If you have more detailed questions, post them back here.

Good luck!

This post has been edited by Craig328: 26 June 2012 - 06:12 AM

Was This Post Helpful? 0
  • +
  • -

#3 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

Re: linkage ofcgi.script_name to index.cfm

Posted 26 June 2012 - 09:16 AM

Thanks for your comment, i gained from it but the issue i'm having is i have a login_process where verification is done before a user is allowed to log in. because of verification purposes, i set the cflocation to #cgi.script_name# and i now set the action attribute of the form to #cgi.script_name# again, that was the reason why it's coming back to the login page anytime i click on submit. Please can you lecture me on cgi.script_name especially when it comes to using it for verification purposes? thanks
Was This Post Helpful? 0
  • +
  • -

#4 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1926
  • View blog
  • Posts: 3,471
  • Joined: 13-January 08

Re: linkage ofcgi.script_name to index.cfm

Posted 26 June 2012 - 09:24 AM

Why don't you go ahead and post your login and login_process page code here and we'll see what's going on.

Please remember to use the CODE tags when posting your code.
Was This Post Helpful? 0
  • +
  • -

#5 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

Re: linkage ofcgi.script_name to index.cfm

Posted 26 June 2012 - 09:46 AM

View PostCraig328, on 26 June 2012 - 09:24 AM, said:

Why don't you go ahead and post your login and login_process page code here and we'll see what's going on.

Please remember to use the CODE tags when posting your code.

Was This Post Helpful? 0
  • +
  • -

#6 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

Re: linkage ofcgi.script_name to index.cfm

Posted 26 June 2012 - 10:25 AM

View Posttundefajem, on 26 June 2012 - 09:46 AM, said:

View PostCraig328, on 26 June 2012 - 09:24 AM, said:

Why don't you go ahead and post your login and login_process page code here and we'll see what's going on.

Please remember to use the CODE tags when posting your code.


I made an application.cfm
For my login:
<Cfif isdefined("form.username")>
<Cfinclude template="login_process.cfm">
</cfif>

<Cfform action="#cgi.script_name#?#cgi.query_string#" name="login" method="post">
<Cfinput type="text name="username">
<Cfinput type="password" name="password">
<Cfinput type="submit" value="submit">
</cfform>

<Cfif isdefined("form.username") and isdefined("form.password")>
<Cflocation url="index.cfm">



Login_process
<Cfparam name="username" type="string">
<Cfparam name="password" type="string">
<CfQuery>database</cfquery>
<Cfif query.recordcount is 1>
<Cfset session.auth.isloggedin="yes">
<Cfset session.auth.userid=query.userid>
<Cflocation url="#cgi.script_name#?#cgi.query_string#">


Was This Post Helpful? 0
  • +
  • -

#7 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

Re: linkage ofcgi.script_name to index.cfm

Posted 27 June 2012 - 01:46 AM

Those are the codes, please, can you explain how this CGI

View Posttundefajem, on 27 June 2012 - 01:41 AM, said:

Those are the codes, please, can you explain how this CGI works especially pertaining the area of scripting and validation. I have been checking some tutorials but don't seem to be getting it properly. Thanks

Was This Post Helpful? 0
  • +
  • -

#8 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1926
  • View blog
  • Posts: 3,471
  • Joined: 13-January 08

Re: linkage ofcgi.script_name to index.cfm

Posted 27 June 2012 - 06:20 AM

Okay, let's go ahead and setup your page the way it actually runs:
<Cfif isdefined("form.username")>
<!--- <Cfinclude template="login_process.cfm"> --->
   <Cfparam name="username" type="string">
   <Cfparam name="password" type="string">
   <CfQuery>database</cfquery>
   <Cfif query.recordcount is 1>
      <Cfset session.auth.isloggedin="yes">
      <Cfset session.auth.userid=query.userid>
      <Cflocation url="#cgi.script_name#?#cgi.query_string#">
   <!--- No closing CFIF here? --->
<!--- End login_process include --->   
</cfif>

<Cfform action="#cgi.script_name#?#cgi.query_string#" name="login" method="post">
<Cfinput type="text name="username">
<Cfinput type="password" name="password">
<Cfinput type="submit" value="submit">
</cfform>

<Cfif isdefined("form.username") and isdefined("form.password")>
<Cflocation url="index.cfm">



So, all I've done above is to include the login_process.cfm page inline with your "login" code. That's all a cfinclude does: it's just includes the contents of whatever page you've decided to include at the place where you place the cfinclude tag. From what you've posted, there doesn't appear to be a reason why you'd break out login_process.cfm as a separate page and then include it but I realize you may not have posted all of your code.

Anyway, let's talk the logic through. Line 1 says if there is a form element called username, execute the code between lines 1 and 12. Lines 3 and 4 create default unscoped (important distinction) variables but don't assign a default value for them so I'm not sure what you'd get from that. Line 5 is where I guess you stripped out a query to your database using the username and password values to try and login a user. This code is important to see because of the logic issue you may have at this point. Keep in mind, by virtue of line 1 you already have a form.username variable available (it may not have a value to it but there is a variable present) but then on line 3, you create another variable called username but it's not scoped and it doesn't have a default value. It depends on which of those variables you're using in your query as to whether your query will even work.

Line 6 checks to see if the query came back with a successful login attempt, line 7 and 8 sets two variables (isloggedin and userid) into a struct called auth that is stored in the user's session scope. For a beginner that's a rather advanced concept so I'm guessing that you inherited that code/process. In any event, it does provide the application two variables with which it can identify the user later and check the logged in status as long as the user's session lasts.

Now, line 9...this is where it gets weird. You're trying to redirect the user after a successful login, right? That's an entirely normal and expected next step...but the URL you're sending them to is "cgi.script_name" (along with whatever content is in the cgi.query_string). I get that you're new to CF but why would you direct them to a cgi defined URL? Why not explicitly send them to "index.cfm"? You have this odd fixation with cgi variables which, in all honesty, ColdFusion devs don't tend to make much use of. CGI variables aren't secure (they can be spoofed by a malicious user trying to hack your site) and, presumably, you know where you want to send your users. Just send them there. Because in this instance, if the page that Line 1 is on is called login.cfm...the cgi.script_name value will be "/login.cfm". In other words, despite a successful login attempt, you're sending your user right back to login.cfm.

You'll notice on line 10 that I dropped a comment about a missing cfif closing tag. For future reference, when we ask you to post your code here, it's helpful to post all of it (as long as it's not hundreds of lines of code). I get that you may have some kind of security concern but, believe me, unless we know the URL of your site (you haven't mentioned it) there isn't anything anyone can do on the basis of a code snippet you post here.

Lines 14-18 are the login form. Nothing untoward there except, again, your form action attribute is cgi variables. In this case, it actually works for you somewhat because the cgi.script_name for this page is login.cfm and once the user submits the form and they're redirected back to this page, line 1 will fire and lines 3-9 will try and log them in (per my comments above). But again, if you want to send them to login.cfm for the form processing, just say so. Forget the cgi stuff. Now, lines 20 and 21 will redirect the user to index.cfm if form.username and form.password exists. Not whether they've been validated as correct login credentials...just whether they exist. In this case, they could both be blank and, if the user gets this far (they won't because of line 9) your code would send them to index.cfm. They won't get this far though because line 1 will fire before line 20 will...and I've explained what will happen on lines 3-9 in that the user will never actually be able to leave this page the way it's coded now.

So, I hope you understand the logic breakdown you're having by using the cgi variables to define where you're trying to send your users. That is most of your problem here. I have a concern about the query you chose not to include because I suspect you may be using unscoped variable references in your where statement of your query and that they probably also lack something called bind parameters (CFQUERYPARAM) which can lead to incorrect query results for the former and presenting a security hole for a SQL injection attack for the latter.

Anyway, that should be a fair amount of info to get you headed in the right direction. If you need further assistance, feel free to post back here.

Good luck!
Was This Post Helpful? 0
  • +
  • -

#9 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

Re: linkage ofcgi.script_name to index.cfm

Posted 27 June 2012 - 07:25 AM

Thank you so much,i thought the cgi scope will make a more secured application as I am looking for better ways to make a secured application.I am using my phone to reply u and it makes typing cumbersome,that was why I didn't include the query.
Here is the query:
<Cfquery name="getuser" datasource="validate">
SELECT userid,username
FROM user
WHERE username='form.username'
</cfquery>


You made mention of cfqueryparam, how is it used?
Thanks
Was This Post Helpful? 0
  • +
  • -

#10 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 1926
  • View blog
  • Posts: 3,471
  • Joined: 13-January 08

Re: linkage ofcgi.script_name to index.cfm

Posted 27 June 2012 - 08:14 AM

Ah. Well, insofar as security goes, as a general rule of thumb, anytime you can explicitly hard code a URL rather than use a variable, it'll be more secure. Use of some variable types (form, URL, cgi, cookies) carries with it a risk that the user has altered their content. It's just something to know as you build application.

Now, one of the reasons people would want to alter a variable's content would be to try to hack your site. One of the more common ways to hack a site is through what is known as a SQL injection attack...and the way your query is written, it's wide open for such an attack.

A SQL injection attack normally happens with form variables and sometimes with URL variables. What happens is, say you have a login form (like you do) and rather than putting in a proper login name like "username" the user puts in something like this: "username; drop table user;". That string, when supplied to an unprotected query like you have there, would result in your table named "user" to be deleted along with all its data. The semicolon in SQL indicates the end of a command so putting one after a generic username attempt along with the drop table command could work depending on the database product you're using and the user rights the database account has that your "validate" datasource was set up with. It's not automatically going to work but, with the right circumstances, it could. And drop table is only one possible command the user could execute. They could also create a new database account, give it ownership rights and then they'd have total control over your entire database and possibly other databases on the same server.

Use of the CFQUERYPARAM tag eliminates that altogether. It checks the data with the datatype of the field it's referencing and it applies something called a bind parameter to the data in the query. I won't go into what a bind parameter is or how it works but it's enough for a CF dev to know that it stops a SQL injection attack attempt dead in its tracks. Applied to your example, your query would look like this:
<Cfquery name="getuser" datasource="validate">
SELECT userid,username
FROM user
WHERE username=<cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar">
</cfquery>


I used "varchar" as the datatype because, in your case, that's most likely the datatype of the username field in your user table but if it wasn't, you'd use the appropriate datatype in the tag to match whatever the column datatype is.
Was This Post Helpful? 0
  • +
  • -

#11 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

Re: linkage ofcgi.script_name to index.cfm

Posted 27 June 2012 - 10:47 AM

I am most grateful for your tutelage,I am not regretting it for joining this forum, you are a mentor.
Please,I know I can not have more than enough security to protect my application, can you help give an example with how i can combine a URL security with what you just taught me? Then are there other security measures i can be using in protecting my applications. Please, help me discuss with examples as i will understand better through this.
Then, in the area of cfif,can you help in giving areas i can really tighten my security, like

 
<cfif (form.username) and (form.password) gt 1>
You already have an account
<cfabort>
</cfif>



please, is this code snippet right? what other validations can i use the if statement for?
I am really grateful.
Thank you.
Was This Post Helpful? 0
  • +
  • -

#12 tundefajem  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 8
  • Joined: 26-June 12

Re: linkage ofcgi.script_name to index.cfm

Posted 29 June 2012 - 12:30 AM

Mr. Craig, Good morning,
Please, help me check this codes, it is not performing any validation, I don't know what is wrong. these are the codes:

For Application.cfm
 <cfcomponent output="false">
  <cfset THIS.name = "Myapp">
  <cfset THIS.sessionmanagement="yes">
 <CFparam name="application.datasource" default="blog">
 
  <cffunction name="onApplicationstart" returntype="void" output="false">
  <cfset APPLICATION.datasource="blog">
  </cffunction>
  
  <cffunction name="onRequeststart" returntype="void" output="false">
  <cfif not isdefined("session.auth.isloggedin")>
  <cfif isdefined("form.username")>
  <cfinclude template="login_process.cfm">
  </cfif>
  
  <cfinclude template="login.cfm">
  <cfabort>
  </cfif>
  </cffunction>
  </cfcomponent>



For the login_process.cfm
<cfquery name="getusers" datasource="#APPLICATION.datasource#">
SELECT userid,username,userpass
FROM users
WHERE username=<cfqueryparam value="#form.username#" cfsqltype="cf_sql_varchar"> and 
	userpass=<cfqueryparam value="#form.userpass#" cfsqltype="cf_sql_varchar">
 </cfquery>
 
 <cfif getusers.recordcount eq 1>
 <cfset session.auth=structnew()>
 <cfset session.auth.isloggedin="yes">
 <cfset session.auth.userid=getusers.userid>
 <cfset session.auth.username=getusers.username>
 
 <cflocation url="index.cfm">



For the login.cfm:
<cfif isdefined("form.username")>
<cfinclude template="login_process.cfm">
</cfif>

<body onload="document.login.username.focus();">
<cfform action="index.cfm" method="post">
<cfoutput>
<input type="hidden" name="username_required" />
<input type="hidden" name="userpass_required" />
</cfoutput> 
<table align="center" bgcolor="##999999">
<tr>
 <th colspan="2">
  <font size="+3">LOG IN </font><br />
  If you have a log in account before, log in here:
 </th>
</tr>
<tr>
<td align="left">User Name :</td>
<td>
<cfinput type="text" 
			name="username" 
            size="30" 
            maxlength="30"> 
 </td>
 </tr>
 <tr>
 <td align="left">Password :</td>
<td>
<cfinput type="password" name="userpass" size="30" maxlength="30">
 </td>
 </tr>
 <tr>
 <td colspan="2" align="center">
 <cfinput name="loginuser" type="submit" value="Log in" align="middle">
 </td>
 </tr>
 <tr>
 <td colspan="2">
    If you are a New User <a href="newaccount.cfm">create an account here</a>.
    </td>
    </tr>
   </table>
    </cfform>



Now the index.cfm:
<body>
<cfoutput>
<table align="center" height="60px" width="880px" bgcolor="##CC6633">
  <tr>
  <td align="right"><a href="http://tundefajem.blogspot.com/feeds/posts/default"><h3> Subscribe to Rss</h3></a></td>
  <td><img src="images/rss.png" /></td>
  </tr>
  </table>
  <br />
  <table align="center" height="90px" width="880px" bgcolor="##cc6633">
  <tr>
  <td><font size="+3" face="Trebuchet MS, Arial, Helvetica, sans-serif"><b>Inspirez:</b> Borne out of The Desire to Change this generation through positive thinkin'</font></td>
  <td align="right">
 <form method="get" action="http://www.google.com/search">

<input type="text"   name="q" size="31"
 maxlength="255" value="" />

<input type="submit" value="Go" />
  </form>
  </td>
  </tr>
  </table>
  <br />
  <table align="center" width="880px" height="600px">
  <tr>
  <td width="550px" height="650px" bgcolor="##FFFFFF"></td>
  <td align="right" width="330px" height="650px" bgcolor="##cc6633"></td>
  </tr>
   </table>
   <table align="center" height="30px" width="880px" bgcolor="##CC6633">
    <tr>
    <td><i>&copy; All rights reserved. &nbsp;&nbsp;<b>Inspirez</b></i></td>
    </tr>
    </table>
    </cfoutput>
</body>



Then can I use URLEncodedformat for securing my URL?

Thank you.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1