Hey Guys,
Something crossed my mind this morning and I thought I'd run it past you, see what your thoughts on it were. In my application I have allot of queries that pull data dependant on the user that is currently signed in using the user_id which sits in their session. Now for the moment I pass this user_id in as an argument to my functions that contain queries, like this. <cffunction> <cfargument name="userid"> <cfquery> SELECT somthing FROM wherever WHERE userid = #arguments.userid# </cfquery> </cffunction> I then call this function by doing the usual MyObject.myFunction(Session.UserID) Now is this the best way of doing this? Presumably there is a slight vulnerability in security as anyone could effectively pass in any old user ID and have it pull their information from the database. What I'd really like to do it have that WHERE clause interact directly with the SESSION scope to collect that user ID, that way the user HAS to have an active session and will only ever be able to retrieve their information, and to get an active session with a populated user_id they must have been authenticated. I know this might make the code a little less usable, but I feel that it's probably a little more secure. What do you think? Rob ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276997 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4