Link to home
Start Free TrialLog in
Avatar of Shawn
ShawnFlag for Canada

asked on

Syntax error in UPDATE statement

when I try to submit the query below I am getting a syntax error. It shows the error is on the Where clause line.

FORM.SiteTranslationTestID is numeric

what am I doing wrong?
<cfquery name="MttestUpdate" datasource="#application.DS#" username="#application.dbuser#" password="#application.dbpass#">
UPDATE tblTranslationTestSite
SET	TranslationTestReference	=	'#form.JobAdReference#',
	TranslationTest	=		'#form.TranslationTest#',
	Instructions	=	'#form.TranslationTestInstructions#',
WHERE SiteTranslationTestID = #FORM.SiteTranslationTestID#
</cfquery>

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3]
Flag of Luxembourg image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3]
Flag of Luxembourg image
aka:
<cfquery name="MttestUpdate" datasource="#application.DS#" username="#application.dbuser#" password="#application.dbpass#">
UPDATE tblTranslationTestSite
SET      TranslationTestReference      =      '#form.JobAdReference#'
  ,    TranslationTest      =            '#form.TranslationTest#'
  ,    Instructions      =      '#form.TranslationTestInstructions#'
WHERE SiteTranslationTestID = #FORM.SiteTranslationTestID#
</cfquery>

Open in new window

Avatar of Shawn
Shawn
Flag of Canada image

ASKER

can't believe it. I've been staring at it for an hour!

thanks angelIII: :-D
Avatar of _agx_
_agx_
Flag of United States of America image
> WHERE SiteTranslationTestID = #FORM.SiteTranslationTestID#

You should also consider using cfqueryparam on all values to help avoid sql injection. For example:

WHERE SiteTranslationTestID = <cfqueryparam value="#FORM.SiteTranslationTestID#" cfsqltype="cf_sql_integer">
Avatar of Shawn
Shawn
Flag of Canada image

ASKER

good point agx,
I'm not very familiar with sql injection but am aware I have to go through my whole site to close any possible leaks. Any advice on this or helpful links?...I could open another question for this one. Let me know.
thanks,
Shawn
Avatar of _agx_
_agx_
Flag of United States of America image
I would start by using a tool like the ones listed here to look for queries that are not using cfqueryparam.  IIRC, they do not update the code but do show you vulnerable queries:
http://www.coldfusionjedi.com/index.cfm/2008/7/29/What-Folks-arent-using-cfqueryparam
Avatar of Shawn
Shawn
Flag of Canada image

ASKER

thanks again. looks like a great place to get started. :)
Avatar of _agx_
_agx_
Flag of United States of America image
Welcome!