> Up until know I thought that scoping variables with form. that you were > guaranteed those variables were coming from a form post.
This is one of those things that has varied from one version of CF to another, if I recall correctly. > So now my question is how do you guarantee that the variable came from > the form scope? > > is using form["firstname"] sufficient? Well, to be honest, I wouldn't even worry about this as a problem. You don't really need to care whether something came from the form scope, only that it contains an acceptable value. If someone's built an alternative interface that sends URL parameters named "form.somethingorother", that by itself is not a security vulnerability. > What about checking > > cgi.REQUEST_METHOD > > for post? Can that variable be spoofed? No, that variable will be accurate in all cases. You could also check for the existence of Form.fieldnames. But again, it's not a big concern in my opinion. It's easy enough for someone to build a mechanism that actually posts the data, and you can't really do much about that. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:313364 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
