On Jan 23, 2008 7:59 PM, Charlie Griefer wrote: > the security hole is that you can arbitrarily manipulate the URL > variable and potentially see information that belongs to another > person. >
Right. In which case you should also have code in place that (a) verifies that the ID they've requested belongs to them, or (b) they actually have permission to request info that does not belong to them. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297273 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
