got it. thanks heaps mark. >Mike, > >You would only need to validate it if you were accepting it as user input. >In that case you would need to compare it to a list or array of valid >values... Or perhaps pass in something that you compare to derive this value >as in. > ><cfif form.orderby IS 'order_key'> > > <Cfset args.order_key= "product.order_Key ASC"/> ><cfelseif form.orderby IS 'name'> > <cfs et args.order_key = 'Product.name ASC'/> ><cfelse> > <cfset args.order_key= 'Product.cost ASC'/> ></cfif> > >In this way - you are comparing for an exact match and explicitely setting >the value. It would be impossible for a malicious user to sneak something >into the args.orderby variable. You would use args.order_keyin your >function.... > ><cfset getProducts = >application.product.get_product(cat_id=URL.cat_id,order_key=args.order_key)/ >> > >Or you could set your other arguments like so... > ><cfset args.cat_id = val(url.cat_id)/> > ><cfset getProducts = application.product.get_product(args)/> > >Or perhaps more symantic... > ><cfset getProducts = >application.product.get_product(argumentcollection=args)/> > > >Mark A. Kruger, CFG, MCSE >(402) 408-3733 ext 105 >www.cfwebtools.com >www.coldfusionmuse.com >www.necfug.com > >mark, the order_key is only defined in my code eg. > >getProducts = >application.product.get_product(cat_id=URL.cat_id,order_key="product.order_k >ey ASC"); > >i would be interested however in how to validate this at the server side? > >thanks >mike
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:302373 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
