So the cf_cfypt tag bombs eh? so far I haven't seen a problem....but then again sometimes this tag gets confused with cf_cryp (which acts VERY similar and the name is VERY close...hmmmmm) ;-)
Cheers
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Che Vilnonis
To: CF-Talk
Sent: Tuesday, December 09, 2003 2:00 PM
Subject: RE: Another simple question...
man, you guys are taking this to the next level.
yes, I check for errors. yes, I use Val() and cfqueryparam.
yes, I display 'custom' message to the user when I record cannot be found.
i'm just trying to save what little horsepower I have left in my webserver.
Bryan,
I do use cf_crypt. I think you recommended it to me a while back. That is,
in fact,
the tag that occasionally bombs out.
The site is an information portal. News, articles, reviews and such. There
are no
user levels. Just a bunch of passed URL strings that I don't want people to
mess with.
~CV
-----Original Message-----
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 09, 2003 4:47 PM
To: CF-Talk
Subject: Re: Another simple question...
absolutely....but the point of encrypting IDs is to keep bad users from
seeing/manipulating data they shouldn't see.
YOu should always try and handle all potential situations (including a
messed with encrypted ID). If you use a proper encrption tag (like
cf_crypt) it will know if the encrypted value has been messed with and
produce a non-numeric result when decrypting (which will cause any queries
or perhaps boolean logic based on that ID to fail). If your code properly
trys/catches errors this error will be handled gracefully. IMHO if a user
messes with a URL var they deserve an error message (not CF error message
but a nice error template telling them something is wrong).
Cheers
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Raymond Camden
To: CF-Talk
Sent: Tuesday, December 09, 2003 1:41 PM
Subject: RE: Another simple question...
Err, as I said before, even _if_ you encrypt it, the user can mess with
it.
The point is this -
Your code should handle:
A missing ID
A bad ID (like id=apple)
An ID that doesn't make sense (id=-1)
An ID that points to a non existent record (id=10900000000)
And add to that any other logic. So, for example, if you show an
index of press releases that have been marked as "Active" in the
database,
then your logic on the page that displays a PR should repeat that logic.
Ie,
load the PR where active=1 and id=#url.id#.
Encrypting your ID won't stop me from changing the value, it just won't
let
me (most likely) get a good value. But if you code your application
right,
it wouldn't matter if I broke your encryption.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
