tracker issue : CF-3919479

select a category, or use search below
(searches all categories and all time range)
Title:

ColdFusion 11 patch 3, the cfstoredproc is passing variables by name instead of position

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Rob Weaver / Rob Weaver (Rob Weaver)

Created: 01/12/2015

Components: Database

Versions: 11.0

Failure Type:

Found In Build/Fixed In Build: CF11_Final / 11,0,04,293239

Priority/Frequency: Major / All users will encounter

Locale/System: English / Win 2012 Server x64

Vote Count: 0

Listed in the version 11.0.04.293328 Issues Fixed doc 
Problem Description:

    Prior to CF11 patch 3, variable names in the dbvarname of the cfprocparam tags were ignored, and parameters were passed in the order defined. As a result of this change, any declarations of dbvarname in the application that does not match the actual name of the parameter in the database procedure fails.

dbvarname should be ignored unless we set the value as indicated in the documentation at https://wikidocs.adobe.com/wiki/display/coldfusionen/cfprocparam 

Steps to Reproduce:

    1. Using an Oracle database connection. 

     2. Create a procedure to be called that has a named parameter.

        PROCEDURE new_session (
            sido OUT VARCHAR2,
            usernamex VARCHAR2,
            passwordx VARCHAR2,
            ip_addressx VARCHAR2,
            rand_intx INTEGER,
            app_idx NUMBER,
            check_ipx NUMBER,
            pwd_requiredx NUMBER DEFAULT 1
            );

2. Use that procedure in a cfprocparam with some parameter name misspelled:

       <cfstoredproc procedure="td_session_pkg.new_session" datasource="#application.datasource#">
           <cfprocparam type="Out" cfsqltype="CF_SQL_CHAR" dbvarname="SID_xo" variable="sid">
           <cfprocparam type="In" cfsqltype="CF_SQL_CHAR" dbvarname="USERNAMEx" value="#arguments.username#">
          <cfprocparam type="In" cfsqltype="CF_SQL_CHAR" dbvarname="PASSWORDx" value="#arguments.password#">
          <cfprocparam type="In" cfsqltype="CF_SQL_CHAR" dbvarname="IP_ADDRESSx" value="#cgi.remote_addr#">
          <cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" dbvarname="RAND_INTx" value="#rand_int#">
          <cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" dbvarname="APP_IDx" value="#application.app_id#">
          <cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" dbvarname="CHECK_IPx" value="1">
          <cfprocparam type="In" cfsqltype="CF_SQL_INTEGER" dbvarname="pwd_requiredx" value="#pwdRequired#">
    </cfstoredproc>

Actual Result:

    1. On CF11 prior to patch 3, stored procedure executes.
    2. After patch 3 upgrade, After patch 3, we get an exception:

         Error Executing Database Query.

         ORA-06550: line 1, column 34: PLS-00201: identifier 'SID_XO' must be declared ORA-06550: line 1, column 7: PL/SQL: Statement ignored


Expected Result:

       Query will execute as before, and not produce errors (query parameters will be passed in order instead of by name).

Any Workarounds:

      Removing the dbvarname from the cfprocparam tags, or painstakingly verify the names that have been used over the years to make sure that they match the database parameter names.

      Either of these are extremely risky to a previously well functioning application that has a LOT of cfstoredproc calls.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3919479

External Customer Info:
External Company:  
External Customer Name: TheraRob
External Customer Email:  
External Test Config: My Hardware and Environment details:



    ColdFusion 11 on Windows 2012 R2 server

    Oracle 11 database

    Oracle thin driver.

Attachments:

Comments:

This is NOT the same as bug #CF-3865064 - this is regarding the dbvarname parameter actually being used when the system property coldfusion.dbvarDependants has not been set. Prior to patch 3, the variables were being passed to the procedure in the order they are defined. After patch 3 they are being passed by variable name, and therefore (at least with Oracle) must match the name of the parameter of the procedure. I need a fix, or a way to set the system property coldfusion.dbvarDependants that will disable the pas by name behavior. dbvarname should be ignored unless we set the value as indicated in the documentation at https://wikidocs.adobe.com/wiki/display/coldfusionen/cfprocparam
Comment by External U.
8990 | January 12, 2015 09:32:37 AM GMT
This issue is fixed and fix will be available as part of upcoming update of ColdFusion 11. As part of this fix, we will be introducing a jvm flag which can be used to ignore the dbvarname attribute. Regards, Nimit
Comment by Nimit S.
8991 | January 23, 2015 01:51:53 AM GMT
Verified this is fixed by using JVM arg -Dcoldfusion.ignoredbvarname=true|false in CF11 Update 4 (build 11,0,04,293085(PreRelease)). Thanks!, -Aaron
Comment by External U.
8992 | February 01, 2015 08:07:39 PM GMT
I have also verified this fix works with the PR Update 4 - 11,0,04,293127(PreRelease) from the http://download.adobe.com/pub/adobe/coldfusion/PR/updates.xml
Comment by External U.
8993 | February 02, 2015 10:57:24 AM GMT
Thanks Rob and Aaron for confirming the fix works.
Comment by Vamseekrishna N.
8994 | February 05, 2015 03:52:03 AM GMT