> The main issue is you're exposing rules that are supposed to be enforced > by > the server, but you're exposing them to the client. This make it very easy > to bypass your server rules and potentially exposing your application to > bugs.
Duly noted. Thanks for the info. I guess my target audience tends to be non-tech types, so I never considered anyone changing hidden fields, or having any motivation to do so, as there is nothing to be gained. But I see what you're saying from a best practices standpoint, and it's trivial to move the config string from the form to the action page. The cfc I posted will still work exactly the same, it's not dependent on where the config string is defined. -- Josh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get involved in the latest ColdFusion discussions, product development sharing, and articles on the Adobe Labs wiki. http://labs/adobe.com/wiki/index.php/ColdFusion_8 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:286180 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4