-----Original Message-----
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 09, 2003 5:14 PM
To: CF-Talk
Subject: Re: Another simple question...
yep...that's the one I had some problems with as well...I'll fire ya the
proper tag offlist ;-)
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Che Vilnonis
To: CF-Talk
Sent: Tuesday, December 09, 2003 2:08 PM
Subject: RE: Another simple question...
uh-oh...just looked at my code. i have cf_cryp. is that a bad custom
tag????
if so, Bryan, could you send me a link for your recommeded custom tag,
cf_crypt?
thanks, che
-----Original Message-----
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 09, 2003 5:03 PM
To: CF-Talk
Subject: Re: Another simple question...
;-) Yep...definately the right tool for the job then in your case. I'd
say
let 'em screw with the URL and show 'em an error page when they do ;-)
So the cf_cfypt tag bombs eh? so far I haven't seen a problem....but
then
again sometimes this tag gets confused with cf_cryp (which acts VERY
similar
and the name is VERY close...hmmmmm) ;-)
Cheers
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Che Vilnonis
To: CF-Talk
Sent: Tuesday, December 09, 2003 2:00 PM
Subject: RE: Another simple question...
man, you guys are taking this to the next level.
yes, I check for errors. yes, I use Val() and cfqueryparam.
yes, I display 'custom' message to the user when I record cannot be
found.
i'm just trying to save what little horsepower I have left in my
webserver.
Bryan,
I do use cf_crypt. I think you recommended it to me a while back.
That
is,
in fact,
the tag that occasionally bombs out.
The site is an information portal. News, articles, reviews and such.
There
are no
user levels. Just a bunch of passed URL strings that I don't want
people
to
mess with.
~CV
-----Original Message-----
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 09, 2003 4:47 PM
To: CF-Talk
Subject: Re: Another simple question...
absolutely....but the point of encrypting IDs is to keep bad users
from
seeing/manipulating data they shouldn't see.
YOu should always try and handle all potential situations (including
a
messed with encrypted ID). If you use a proper encrption tag (like
cf_crypt) it will know if the encrypted value has been messed with and
produce a non-numeric result when decrypting (which will cause any
queries
or perhaps boolean logic based on that ID to fail). If your code
properly
trys/catches errors this error will be handled gracefully. IMHO if a
user
messes with a URL var they deserve an error message (not CF error
message
but a nice error template telling them something is wrong).
Cheers
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: Raymond Camden
To: CF-Talk
Sent: Tuesday, December 09, 2003 1:41 PM
Subject: RE: Another simple question...
Err, as I said before, even _if_ you encrypt it, the user can mess
with
it.
The point is this -
Your code should handle:
A missing ID
A bad ID (like id=apple)
An ID that doesn't make sense (id=-1)
An ID that points to a non existent record (id=10900000000)
And add to that any other logic. So, for example, if you show an
index of press releases that have been marked as "Active" in the
database,
then your logic on the page that displays a PR should repeat that
logic.
Ie,
load the PR where active=1 and id=#url.id#.
Encrypting your ID won't stop me from changing the value, it just
won't
let
me (most likely) get a good value. But if you code your
application
right,
it wouldn't matter if I broke your encryption.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
