RE: Is it really POST?

Mon, 09 Jul 2001 08:52:30 -0700 

interesting point, about "HTTP headers can be faked".  CF generates the
FORM scope furing a request from the HTTP request headers.  So if you
don't trust one, can't trust the other.

-----Original Message-----
From: Andrew Tyrone [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 09, 2001 8:55 AM
To: CF-Talk
Subject: RE: Is it really POST?


-----Original Message-----
From: Michael Lugassy [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 08, 2001 2:40 PM
To: CF-Talk
Subject: Is it really POST?


How can I check if the .cfm file was submitted using POST and not GET?
(I'm trying to prevent, as possible, people to submit the params using
URL and not form fields).

Thanks,

Michael Lugassy


----

Well this was interesting when I tested it.  I made two pages:

<!--- testform.cfm --->

<form name="newform" action="testform_action.cfm" method="get">

Test Form:<br>
<input type="text" name="test1" value="">

<input type="hidden" name="hidden1" value="yep, I'm hidden!">

<input type="submit" name="submitbutton" value="click to gooooo">

</form>



<!--- testform_action.cfm --->

<cfif IsStruct(form)>

FORM is defined.

<br><br>
<cfloop collection="#form#" item="thisvar">
        <cfoutput>#thisvar#<br></cfoutput>
</cfloop>

<cfelse>

FORM is not defined.

</cfif>


Now, if you run the first page and submit it, whether you keep the FORM
method as GET or change it to POST, the IsStruct() function will tell
you that FORM is indeed a structure.  This first led me to believe that
even though the form was submitted by GET, CF still knew a form had been
submitted.  Now, even though I didn't check (bad), I surmise that the
called page doesn't know a form has been submitted when method="GET"
because if you run the second page on it's own, FORM is STILL a
structure.  I might be wrong about that, but I still have a solution
that I think will work for you.  Since the FORM structure exists on
every page, and is empty on some, if you change the IsStruct() function
to the StructIsEmpty() one, you will be able to tell if a form was
submitted by GET and not post.

I figured this was a good alternative method since HTTP headers can be
faked.


-Andy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to