Hey Guys,
Something crossed my mind this morning and I thought I'd run it past you,
see what your thoughts on it were. In my application I have allot of queries
that pull data dependant on the user that is currently signed in using the
user_id which sits in their session. Now for the moment I pass this user_id
in as an argument to my functions that contain queries, like this.
<cffunction>
<cfargument name="userid">
<cfquery>
SELECT somthing
FROM wherever
WHERE userid = #arguments.userid#
</cfquery>
</cffunction>
I then call this function by doing the usual
MyObject.myFunction(Session.UserID)
Now is this the best way of doing this? Presumably there is a slight
vulnerability in security as anyone could effectively pass in any old user
ID and have it pull their information from the database. What I'd really
like to do it have that WHERE clause interact directly with the SESSION
scope to collect that user ID, that way the user HAS to have an active
session and will only ever be able to retrieve their information, and to get
an active session with a populated user_id they must have been
authenticated.
I know this might make the code a little less usable, but I feel that it's
probably a little more secure.
What do you think?
Rob
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 &
Flex 2
Free Trial
http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276997
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
