why I cannot insert '#Form.Email#'

I have a CF page “MemberExpress” like below

My Email:

In the page MemberExpressRegActionPage.cfm, I have this like below

INSERT INTO Members (HandleName, Age, BirthYear, State, CCountry, Email)

VALUES
(‘#Form.HandleName#’, ‘#Form.Age#’, ‘#Form.BirthYear#’, ‘#Form.State#’, ‘#Form.CCountry#’, ‘#Form.Email#’)

The page cannot be posted sucessfully with error “An error occurred while executing the application. Please try again or contact the administrator.”

The issue is I cannot insert ‘#Form.Email#’ value into the database

If I remove ‘#Form.Email#’ in page MemberExpressRegActionPage.cfm , I can insert sucesffully without issue. But if I include ‘#Form.Email#’, the page doesnt work.

Also, if in page MemberExpressRegActionPage.cfm, I put an exact value like belwo, it works

INSERT INTO Members (HandleName, Age, BirthYear, State, CCountry, Email)

VALUES
(‘#Form.HandleName#’, ‘#Form.Age#’, ‘#Form.BirthYear#’, ‘#Form.State#’, ‘#Form.CCountry#’, ‘abc65432@yahoo.com’)

I spent hours to trooubleshooot, I have no clue what went wrong. Can someone help me? Also, how to debug what’s wrong with it.

Thanks,

if you look in lucee-server\context\logs\exception.log you should see the error, sounds like you have some error handling in place, hiding the actual error which is great on prod but sucks in local dev.

I have also written a log viewer extension for the admin

you should always be using cfqueryparam for all user supplied data* going into a sql query, otherwise you can be easily hacked via sql injection attacks

  • also for trusted data, the database engine can cache they query plan and will run faster, basically any variables being passed into a query should be passed (bound) via cfqueryparam

The same goes for displaying data, always use encodeForHtml when outputting data, otherwise, it’s easily for anyone to XSS your wesbite

OWSAP maintain a nice list of things to be aware of

https://top10proactive.owasp.org/

3 Likes

I also highly recommend using pure cfscript instead of cfml tags for all business logic, then you can use QueryExecute() which simplifies the secure query params.

Example (with Arguments scope for the params assuming the Form values are passed into a cfc component function):

QueryExecute(
  "
    insert into Members (HandleName, Age, BirthYear, State, CCountry, Email)
    values (:HandleName, :Age, :BirthYear, :State, :CCountry, :Email)
  ",
  {
    "HandleName": {"value": Arguments.HandleName, "sqltype": "varchar"},
    "Age": {"value": Arguments.Age, "sqltype": "varchar"},
    "BirthYear": {"value": Arguments.BirthYear, "sqltype": "varchar"},
    "State": {"value": Arguments.State, "sqltype": "varchar"},
    "CCountry": {"value": Arguments.CCountry, "sqltype": "varchar"},
    "Email": {"value": Arguments.Email, "sqltype": "varchar"}
  }
);

The problem is probably not with the action page, but with the form page. For some reason, the form might not be submitting the email field.

So check the form. Make sure nothing prevents it from submitting the email field.