At 12:08 PM 2/1/01 -0500, you wrote:
>i have a form which takes a few input fields, then passes them to a 2nd
>template for evaluation, a url is built that needs to include the variables
>from the form if they exist, which is then sent via cflocation to a 3rd
>template for the appropriate action.
>
>on the 2nd template, i am using cflocation with a few cfif statements inside
>it to determine if the form fields were present and build the url
>accordingly, if i enter a line break before the cfif, cf does not pass the
>values in the url, the only way it seems to want to work is if i run the
>whole thing together,
>
>cf includes the passed variables in the url, but the url looks terrible as
>it includes the cfif code....
>
>please tell me i am missing something obvious or there is a cleaner way to
>do this.
>
>-------cf code---------------
><cflocation
>url="http://#attributes.serverip#/mydir/mytemplate.cfm?username=#attributes.
>username#<cfif
>#isDefined("attributes.dsn1")#>&dsn1=#attributes.dsn1#<cfelseif
>#isDefined("attributes.dsn2")#>&dsn2=#attributes.dsn2#<cfelseif
>#isDefined("attributes.dsn3")#>&dsn3=#attributes.dsn3#</cfif>">
>-------------------------------
>
>------------url produced from above code-------------------
>http://serverip/mydir/mytemplate.cfm?username=user23<cfif%20YES>&dsn1=blah1<
>cfelseif%20YES>&dsn2=blah2<cfelseif%20YES>&dsn3=blah3</cfif>
There are a couple of security issues with this and I would avoid it at all
costs. First of all, you never want to have brackets in your URL-- allowing
brackets to be passed in the url opens you up to cross-site scripting.
Cross-site scripting is bad bad bad. Serious server hacks available. Second
security issue is that you are sending variables called dsn<somenumber>.
Even if you want to pass a datasource reference you want to make sure that
the reference doesn't shout "Hey look! It's a datasource!" Again, you don't
want to HELP people hack your server.
OK, now what you may be having a problem with here is not actually that you
want to send CFIF statements through the URL, but rather that you want to
check these things and build the URL that way. If this is what you want and
you nest the CFif tags inside the other CF tags, you will not get what you
are expecting. Instead, you should build the URL in another part of the
page and send the url to the cflocation tag like this:
<cfset appendtourl="">
<cfif isDefined("attributes.dsn1")><cfset
appendtourl="&dsn1=#attributes.dsn1#">
<cfelseif isdefined("attributes.dsn2")><cfset
appendtourl="&dsn2=#attributes.dsn2#">
<cfelseif isDefined("attributes.dsn3")><cfset
appendtourl="&dsn3=#attributes.dsn3#">
</cfif>
<cflocation
url="http://#attributes.serverip#/mydir/mytemplate.cfm?username=#attributes.
username##appendtourl#">
Does this fix your problem? Never ever ever send < or > in a URL. If you do
that, people will realize they can hack your site and they'll try just to
see what happens. It's basically an invitation.
If you need to detect which dsn number is being passed, you should put the
code for that in the target page.
Now announcing my newly updated website
http://www.blivit.org/mr_urc/index.cfm
Resume: http://www.blivit.org/mr_urc/resume.cfm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
