>> I guess I should also add that if hackers are seeing useful > >You don't need to wrap every query with CFTRY/CFCATCH; you're better off >reserving that for specific exceptions where you can present a specific >solution. If you just use CFERROR/onError to capture runtime exceptions, you >can get the same results in a more structured way. > >While I'm not sure I fully agree with this, there is a cogent argument to be >made in favor of not scrubbing client data: >http://www.joelonsoftware.com/articles/Wrong.html
Good point about cftry cfcatch, depends on how you want to do it I guess. Using a CFERROR/OnError, what would you do if you wanted to handle different types of errors in different ways depending on the situation? I think Joel's article is speaking more about coding practices when dealing with unsafe data rather than whether or not you should scrub data. His little code samples are even scrubbing data before outputs by using the Encode() function. The point is that you should code in such a way to make it clear and easy for the eye to catch if you are doing outputs without cleaning up user inputs in some way. Further, even if you want to store unsafe inputs into a database you will still most definitely want to clean up the inputs to make sure that no SQL injecting is going to happen. Good article though by the way. CoolJJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Create Web Applications With ColdFusion MX7 & Flex 2. Build powerful, scalable RIAs. Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJS Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280676 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4