-----Original Message----- From: Brad Wood [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 06, 2008 3:54 PM To: CF-Talk Subject: RE: Preventing user from changing ID number in URL
Obscurity still isn't security though. Better yet, run whatever security checks are necessary when displaying a ticket to verify the person logged in should be able to view it. ~Brad -- That's what we do. Each of our invoices is referenced in an invoice table by a few different pieces of data, the most important of which is the invoice number and the customer's account number. The ID in the url gets checked to see if the logged in account number is in the same row as the invoice and if not they get a "not a valid invoice under your account" error. Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:304829 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
