> This code would fail my own code review. I don't allow any
> "url." or "form." variables inside CFQUERY statements. This,
> however, might pass.
>
> <!--- Validate ID --->
> <cfif #isdefined("id")# is "true">
> <cfset theId=#val(htmleditformat(REreplacenocase(id,
> "[*,;^>:?<|\]", "" , "ALL" )))#>
> <cfelse>
> <cfset theId=0>
> </cfif>
>
> <!--- update time of last visit for this user --->
> <cfquery name="queryit" datasource="#dsn#">
> update people
> set updated = '#dateformat(now(), "MM/DD/YYYY")#'
> where peopleid = <cfqueryparam value="#theid#"
> cfsqltype="cf_sql_integer">
> </cfquery>
>
> (Note: I am not using CFQueryParam here as a validation tool.
> I already know the variable is an integer. This query is from
> a header and will fire every page load so I want successive
> queries to run from cache on the Database server.)
While it's better in this case to be too cautious, rather than not cautious
enough, you're really doing more work here than is necessary. If you want to
ensure that something is an integer, you can just use IsNumeric or the
CFPARAM tag, if you want to do that before you attempt to execute the query.
I agree with you that the validation should take place before the query,
since that way you can respond appropriately without having to put exception
handlers throughout your code. Also, you'd be better off not running the
query if the variable isn't defined beforehand, rather than initializing the
variable and running the query even though you won't return any results.
Also, there's nothing wrong with referencing the URL or Form scope within a
CFQUERY or CFSTOREDPROC, as long as you've validated the appropriate
variables within that scope. Remember, these scopes are writable, they're
not just read-only. Personally, I'd prefer sticking with the original
variables, if for no other reason than general readability.
Finally, you can simplify and "clean up" your code slightly by removing the
unnecessary hashes and comparisons:
<cfif IsDefined("id")>
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
______________________________________________________________________
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
