Brian H. said the following on 02/15/2011 12:39 PM: > I, for instance, use argumentCollection pass method quite often, and > pass in the entire args struct (often adding additional fields to that > struct) and sometimes there are fields in the struct that do not match > the method signature of my service layer, but that method simply > ignores those arguments. There is a possibility by passing a struct representation of the event object that you open the door for security issues or intended side-effects. For example, you might have a <cfargument name="showAdmins" type="boolean" required="false" default="false"/>. You never open this option up in your UI, but it's trivial to add this to the URL or a form post and get that passed into your model layer. Therefore it could be a security issue or at the minimum un-intended features being used. Now, the chances are low, but the target on your chest gets bigger as your website gets more popular or if you're dealing with sensitive data.
Just food for thought. .pjf -- Come see Team Mach-II at OpenCFSummit - Feb 21-23, Dallas, TX - http://www.opencfsummit.org/ To post to this group, send email to [email protected] For more options and to unsubscribe, visit this group at http://groups.google.com/group/mach-ii-for-coldfusion?hl=en SVN: http://svn.mach-ii.com/machii/ Wiki / Documentation / Tickets: http://trac.mach-ii.com/machii/
