I'm not at 100%, but I'm gonna say that NONE OF YA ARE ! I believe we're on
a hot topic here, one worth exploring...
OK, I'll play devil's advocate here... Let's say you are formurl2attributes
everything, so all of your form and urls get scoped to attributes. and in
your coding you prefix ALL your vars to attributes.
I'd hazard to guess that there are some SQL queries that are built from
variables not previously URLable that could now be maliciously modified with
a url-appended variable , "www.foo.com&ID=3(DROP%20DATABASE%20FOO)" or
something like that...
I'm just tossing ideas out here before I adopt the "scope 'em all"
philosophy.
Alan McCollough
Web Programmer
Alaska Native Medical Center
> -----Original Message-----
> From: Nat Papovich [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, July 17, 2000 9:40 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Need to toggle URL and FORM vars
>
> But if you attributes scope that "dbupdated" variable, you might kiss
> yourself later. Imagine if, when demo-ing the yet unfinshed app to your
> client, for some inexplicable reason, dbupdated gets whacked or out of
> line
> somehow. It's expecting "Widget was added successfully", but it's getting
> "Widget added successfully". Now your app is broken until you access the
> source code and change the conditional to check for the different text
> string. But if, in the midst of this demo, you remember that dbupdated is
> attributes scoped, you can append
> "dbupdated=Widget%20was%20added%20successfully" to your url string, and it
> works! (provided that cfset was instead a cfparam, but you get the idea).
>
> Now before eveyone points out the obvious security loopholes here, I'll
> say
> it. IMPROPER CODING CREATES OBVIOUS SECURITY LOOPHOLES. This allows for
> greater flexibility, but more chance of things going "differently".
>
> Also, if you use attributes scope in your logic code, you can do cool
> stuff
> like post the search string to the url string so if a user wants to
> bookmark
> a search results page, they sure as heck can, because the your search
> results processing page will handle a search query via a form variable,
> url
> variable, or (heck) even attributes variable if you ever wanted to
> cfmodule
> your search circuit.
>
> 100%?
>
> -----Original Message-----
> From: Erik Voldengen [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 17, 2000 10:05 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: Need to toggle URL and FORM vars
>
>
> Nope. Now you are down to 97%.
>
> The VARIABLES scope is great for things like:
>
> <cfset dbupdated="Widget was added successfully">
>
> in an act file, and
>
> <cfoutput>#Variables.dbupdated#</cfoutput>
>
> in a dsp_ file that immediately follows that act_ file
> within the <CFCASE>.
>
>
> > -----Original Message-----
> > From: McCollough, Alan [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, July 17, 2000 9:58 AM
> > To: '[EMAIL PROTECTED]'
> > Subject: RE: Need to toggle URL and FORM vars
> >
> >
> > Ah, the lightbulb is up to 98% on. So as a principle, do you
> > scope every
> > occurence of a variable with the attributes. prefix?
> >
> > Alan McCollough
> > Web Programmer
> > Alaska Native Medical Center
> --------------------------------------------------------------------------
> --
> --
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
> --------------------------------------------------------------------------
> ----
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or
> send a message to [EMAIL PROTECTED] with 'unsubscribe' in
> the body.
------------------------------------------------------------------------------
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/fusebox or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
