Mike,
You would only need to validate it if you were accepting it as user input.
In that case you would need to compare it to a list or array of valid
values... Or perhaps pass in something that you compare to derive this value
as in.
<cfif form.orderby IS 'order_key'>
<Cfset args.order_key= "product.order_Key ASC"/>
<cfelseif form.orderby IS 'name'>
<cfs et args.order_key = 'Product.name ASC'/>
<cfelse>
<cfset args.order_key= 'Product.cost ASC'/>
</cfif>
In this way - you are comparing for an exact match and explicitely setting
the value. It would be impossible for a malicious user to sneak something
into the args.orderby variable. You would use args.order_keyin your
function....
<cfset getProducts =
application.product.get_product(cat_id=URL.cat_id,order_key=args.order_key)/
>
Or you could set your other arguments like so...
<cfset args.cat_id = val(url.cat_id)/>
<cfset getProducts = application.product.get_product(args)/>
Or perhaps more symantic...
<cfset getProducts =
application.product.get_product(argumentcollection=args)/>
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
-----Original Message-----
From: Mike Little [mailto:[EMAIL PROTECTED]
Sent: Monday, March 31, 2008 3:23 PM
To: CF-Talk
Subject: Re: inefficient query
mark, the order_key is only defined in my code eg.
getProducts =
application.product.get_product(cat_id=URL.cat_id,order_key="product.order_k
ey ASC");
i would be interested however in how to validate this at the server side?
thanks
mike
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;192386516;25150098;k
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:302365
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
