YOu should always try and handle all potential situations (including a messed with encrypted ID). If you use a proper encrption tag (like cf_crypt) it will know if the encrypted value has been messed with and produce a non-numeric result when decrypting (which will cause any queries or perhaps boolean logic based on that ID to fail). If your code properly trys/catches errors this error will be handled gracefully. IMHO if a user messes with a URL var they deserve an error message (not CF error message but a nice error template telling them something is wrong).
Cheers
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Raymond Camden
To: CF-Talk
Sent: Tuesday, December 09, 2003 1:41 PM
Subject: RE: Another simple question...
Err, as I said before, even _if_ you encrypt it, the user can mess with it.
The point is this -
Your code should handle:
A missing ID
A bad ID (like id=apple)
An ID that doesn't make sense (id=-1)
An ID that points to a non existent record (id=10900000000)
And add to that any other logic. So, for example, if you show an
index of press releases that have been marked as "Active" in the database,
then your logic on the page that displays a PR should repeat that logic. Ie,
load the PR where active=1 and id=#url.id#.
Encrypting your ID won't stop me from changing the value, it just won't let
me (most likely) get a good value. But if you code your application right,
it wouldn't matter if I broke your encryption.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
