I'm currently working on a project where my client needs to be able to create, read, update and delete records in a table displayed on a web page. In ColdFusion CFGRID solves this problem and here's a simple example using the CFARTGALLERY sample database that comes with ColdFusion 9.

Firstly, create an Artist.cfc file containing the following code.

Now create an index.cfm file containing the following code.

Load the index.cfm page in your web browser and the final result looks a bit like this...

---

Tags

• ColdFusion (18)

---

Comments

Wednesday, October 5, 2011 Dan Switzer, II

Just a warning that the qArtists query in the getArtists() method is open to SQL injections. A user could use either of the "gridsort" arguments to potentially inject malicious SQL.

To solve this problem, you can use a helper function to make sure that the column and sort direction are valid values.

---

Wednesday, October 5, 2011 Simon Bingham

Thanks Dan. That's a good tip! :)

---

Friday, October 7, 2011 Chris Dawes

Dan, people should be using their own in-house cf application firewall instead of relying on human coders ;-)

an application firewall that checks inserted fields against their datatype in the db at the minimum (and key injection keywords), and by using custom datatypes, checking against custom rules. This also allows you to use CFINSERT and CFUPDATE safely also.

I can't believe people are still relying on sql parameter checks in their code for attack protection, it's soo 1990! (but better than nothing) Miss one, and you're application is open for attack. Not worth the risk.

---

Add Comment

First Name *

Last Name *

Email Address *

Your email address will not be displayed on this blog.

URL

The URL of your blog or web site.

Comment *