At some point, you want to verify that you are passing an actual threadid (to use your example) and not a sql statement that someone has appended to the url as threadid. If you simply use the url variable you aren't doing that. If your cfqueryparm is checking for an integer you would probably be ok, but if your cfqueryparm is looking for a string and you aren't doing any testing on the url variable before using it in the query, you're open for problems.
I rarely use url variables, but when I do I always check to make sure it contains the type of data I am expecting it to contain. On Thu, Mar 7, 2013 at 6:08 PM, Rick Root <rick.r...@gmail.com> wrote: > > How exactly are we asking for trouble by using URL variables within > CFQUERYPARAMs? > > For example, a message board might link to a message topic with > viewTopic.cfm?threadid=5 > > You can't do form posts for every call to your application, so I'm curious > as to how you propose doing this. > > <cfset myvar = url.threadId> > > And then use myVar? I just don't see the point. > > Rick > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354897 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
