I'd always want an "open" version that will take any user ID, then another layer over that that enforces the rules about what user ID can be passed in. Otherwise you have a hell of a time writing admin systems or unit tests.
Jaime Metcher > -----Original Message----- > From: Robert Rawlins - Think Blue > [mailto:[EMAIL PROTECTED] > Sent: Friday, 4 May 2007 10:05 PM > To: CF-Talk > Subject: Best Practice: Query User Specific Data > > > Hey Guys, > > > > Something crossed my mind this morning and I thought I'd run it past you, > see what your thoughts on it were. In my application I have allot > of queries > that pull data dependant on the user that is currently signed in using the > user_id which sits in their session. Now for the moment I pass > this user_id > in as an argument to my functions that contain queries, like this. > > > > <cffunction> > > <cfargument name="userid"> > > > > <cfquery> > > SELECT somthing > > FROM wherever > > WHERE userid = #arguments.userid# > > </cfquery> > > </cffunction> > > > > I then call this function by doing the usual > MyObject.myFunction(Session.UserID) > > > > Now is this the best way of doing this? Presumably there is a slight > vulnerability in security as anyone could effectively pass in any old user > ID and have it pull their information from the database. What I'd really > like to do it have that WHERE clause interact directly with the SESSION > scope to collect that user ID, that way the user HAS to have an active > session and will only ever be able to retrieve their information, > and to get > an active session with a populated user_id they must have been > authenticated. > > > > I know this might make the code a little less usable, but I feel that it's > probably a little more secure. > > > > What do you think? > > > > Rob > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:277206 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
