> Since the form submit won't inherently send the 'type' of the field > that was sent, you could use a method of naming your fields according > to the type of form field that was used. eg. <select > name="sel_state"><option>... > or <input type="text" name="txt_Name_First"> > or <textarea name="tarea_comments"> > > Just a thought. > > William
That's what I had been doing, but I realized that this method left me vulnerable to tampering, since keywords in the field name are sent to the user. The keywords could be changed, thus bypassing the validation. I now realize, from the responses above, that saving the name and type (on the server, in a session variable) is the answer. I can continue to used coded field names, but also do a comparison of what was sent, to what was returned, and if anything was changed in the field name, I can simply abort, better yet, I will know that there was an attempt to tamper with the form, and I can block the IP (for an one hour, five hours, a day, etc., etc.). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:323428 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
