>
> > Why would anyone need to clean cfcode? Unless you save user
> input to a
> > file and cfinclude it, it will not get executed.
>
>
> Many people generate dynamic forms and loop over either
> form.fieldnames
> or the form collection to evaluate the forms that are posted
> back. This
> frequently involves the Evaluate() function. Something like:
> <cfloop list="#form.fieldnames#" index="i">
> <cfset temp = Evaluate(field)>
> other code
> </cfloop>
This is bad for multiple reasons. I don't deny that many people do it,
but as a reminder, it's much easier, and quicker, to do:
<cfset temp = form[field]>
Furthermore, this is only an issue if you pass a _function_ as you
describe below.
> In testing somebodies site I have used this to slow his site
> to a crawl
> by making a custom form with code like:
> <form action="">
> <input type="text" name="CFUSION_DBCONNECTIONS_FLUSH()">
> </form>
Interesting. Good point. This is one more reason why we need to preach
to people to NOT use evaluate to get form fields. I need to go on a
crusade or something. ;)
=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia
Email : [EMAIL PROTECTED]
Yahoo IM : morpheus
"My ally is the Force, and a powerful ally it is." - Yoda
______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
