That's not a security hole in the example, it's a security hole in the logic... The question was how to prevent an error due to changing or removing the url variable. The example does that. If someone is pulling and displaying private information based on a url variable... well... they obviously should rethink their whole approach.
One possibility... make users login, store their 'MyID' in their session and pull the info from that instead. ..:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:297304 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
