> Good point about cftry cfcatch, depends on how you want to do > it I guess. Using a CFERROR/OnError, what would you do if you > wanted to handle different types of errors in different ways > depending on the situation?
You'd look at the exception information that's exposed to your CFERROR page(s). If you really have a specific problem and a specific solution, by all means you should use CFTRY/CFCATCH. Usually, though, you have a specific problem but a more general solution - for example, if you have a problem with database queries, you might handle that problem the same way with any database query you have. > I think Joel's article is speaking more about coding > practices when dealing with unsafe data rather than whether > or not you should scrub data. His little code samples are > even scrubbing data before outputs by using the Encode() > function. The point is that you should code in such a way to > make it clear and easy for the eye to catch if you are doing > outputs without cleaning up user inputs in some way. Further, > even if you want to store unsafe inputs into a database you > will still most definitely want to clean up the inputs to > make sure that no SQL injecting is going to happen. Good > article though by the way. Joel's article covers a lot of ground - the evolution and misappropriation of Hungarian notation, the value of self-documenting coding strategies, the history of Microsoft Word, how exception handling violates self-documenting coding strategies - but it specifically addresses storing unsafe strings instead of converting them to safe strings when they're received. The assumption is that you may need the original string data for certain things, but that you would always sanitize it before writing it to an HTML page. And, if you use CFQUERYPARAM or CFPROCPARAM or any other mechanism that lets you build prepared statements or their analogues, no SQL injecting will happen - the specific purpose of a prepared statement is to separate executable code (your SQL statement) from data (your inputs). It doesn't matter what's in the data, it won't be treated as executable SQL code by the database. You may still want to sanitize it to prevent XSS, but as Joel's article points out, this could happen when you accept the values, or when you display the values. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! This email has been processed by SmoothZap - www.smoothwall.net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Macromedia ColdFusion MX7 Upgrade to MX7 & experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:280690 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
