Dave Watts said: >> What's the matter with using evaluate? > > It's generally more expensive to tell the computer to treat a > literal string as an expression, than to just give the computer an > expression in the first place.
I think the bigger issue is the question where that string expression originates. With the example posted by Stan doesn't pose much risk, we have probably all seen the following code: <cfloop list="#form.fieldnames#" index="currentField"> <set Quantity = Evaluate(currentField)> </cfloop> In this example, you are essentially running user generated code inside your website. It is still limited to whatever Evaluate() accepts, but you can get all sorts of interesting information if you submit a form with a field named StructKeyList(session) or StructClear(application). Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:237987 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
