I completely agree with both of you. If this was something in protected environment, then by all means, you're going to need to make sure the user in question has permission to the record(s) being accessed. However, I guess when the initial question was posed I envisioned this as something more on a public-facing web site (like a blog or events calendar) where changing the ID didn't matter so much, but if that variable was missing or contained something unexpected how the application should handle that.
Ryan Matt Quackenbush wrote: > On Jan 23, 2008 7:59 PM, Charlie Griefer wrote: > > >> the security hole is that you can arbitrarily manipulate the URL >> variable and potentially see information that belongs to another >> person. >> >> > > > Right. In which case you should also have code in place that (a) verifies > that the ID they've requested belongs to them, or (b) they actually have > permission to request info that does not belong to them. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297298 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
