the security hole is that you can arbitrarily manipulate the URL variable and potentially see information that belongs to another person.
On Jan 23, 2008 2:25 PM, Ryan J. Heldt <[EMAIL PROTECTED]> wrote: > Tood- > > A security hole, how so? Yes, you can arbitrarily change the value: MyID > = 1, MyID = 2, and so on, but that's always going to be the case. I > believe the initial question posed was if someone messed with the URL > and removed one of the values. Say, the page was expecting MyID and it > wasn't there. How should the page react? > > -- > *Ryan J. Heldt* > /Senior Web Developer/ > Global Reach Internet Productions > http://www.globalreach.com > Phone: 515-296-0792, Fax: 515-296-3748 > > > Todd wrote: > > Uh, I find that to be a security hole. URL.MyID = 1 will probably always > > work. If not, I'll start the math guessing game. > > > > On Jan 23, 2008 12:25 PM, Ryan J. Heldt <[EMAIL PROTECTED]> wrote: > > > > > >> I like to handle things like that somewhat gracefully, for example: > >> > >> <!--- Default Parameters ---> > >> <cfparam name="url.MyID" default="0" /> > >> > >> <!--- Get Data ---> > >> <cfquery name="qryData"> > >> SELECT ... > >> FROM ... > >> WHERE MyID = <cfqueryparam value="#val(url.MyID)#" > >> cfsqltype="cf_sql_integer" /> > >> </cfquery> > >> > >> <!--- Hmm... No records, send user back to list page ---> > >> <cfif qryData.RecordCount is 0> > >> <cflocation url="index.cfm" addtoken="false" /> > >> </cfif> > >> > >> Essentially by using cfparam, if the value isn't there at all, it's > >> going to be defined as 0. Secondly, we're using cfqueryparam to protect > >> the database. Third, if the value of url.MyID is something odd, like a > >> string, it's going to be converted into a number. Finally, if there are > >> no records, it sends the user back to a list page. > >> > >> Happy coding! > >> > >> -- > >> *Ryan J. Heldt* > >> /Senior Web Developer/ > >> Global Reach Internet Productions > >> http://www.globalreach.com > >> Phone: 515-296-0792, Fax: 515-296-3748 > >> > >> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297243 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
