1. Manuals
  2. Brands
  3. MACROMEDIA Manuals
  4. Software
  5. COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION...
  6. Getting started

Exercise 2: Avoiding The Potential Security Risk When Using Dynamic Sql - MACROMEDIA COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION MX Getting Started

Building coldfusion mx applications
Hide thumbs
Table of Contents

Advertisement

Reviewing the code
The following table describes the ColdFusion code that you use to build the Trip Detail page:
Code
<cfcomponent>
<cffunction name="getTripDetails"
access="public"
returntype="query">
...
<cfreturn tripDetails>
</cffunction>
</cfcomponent>
<cfquery name="TripQuery"
dataSource="CompassTravel"
maxRows=1>
<cfif IsDefined("URL.ID")>
WHERE tripID = #URL.ID#
</cfif>
As you did in this exercise, you can build comprehensive database query applications using
CFML and dynamic SQL. To further test the new Trip Detail page that you created, you will link
it to the search facility that you built in
you link that search facility, you must understand a potential security risk using dynamic SQL.
The following exercise describes this risk and how to avoid it.
Exercise 2: Avoiding the potential security risk when using
dynamic SQL
To reduce round trips between the client and the database server, many SQL database servers
permit the client to submit multiple SQL statements in a single request, separated by a
semicolon (;). For these database managements systems, the following SQL request is valid:
DELETE from trips where tripLocation = 'China'; SELECT tripName from trips
This request might be an efficient way to list the trips that remain after the database management
system removes the China trip. Problems arise when the SQL statement is built dynamically.
In the Trip Maintenance application, when the client program or user passes an ID in the URL
that calls the Trip Detail page, the page displays the relevant trip information. The following code
builds the correct WHERE clause that supports this behavior:
<cfif IsDefined("URL.ID")>
WHERE tripID = #URL.ID#
</cfif>
Explanation
The
cfcomponent
creates a method named
method returns the results of the query to the calling page.
The
cfquery
limits the number of result rows brought back from the
database. In the Trip Detail page, you want to show only a
single row at a time; therefore, the
to
.
1
The URL.ID specifies a parameter that you can include in
the URL that requests this page. If the ID parameter is
passed within the URL, it is used in the SQL query to
identify the
IsDefined
within the URL. You can also use
the user has entered data in form fields prior to the form
post action.
Lesson 4: Building Dynamic

Exercise 2: Avoiding the potential security risk when using dynamic SQL

tag creates a CFC. The
getTripDetails
tag includes a
maxRows
to SELECT. You can use the CFML
tripID
function to determine if a parameter is passed
Queries. However, before
tag
cffunction
in the CFC; the
attribute. This attribute
attribute is set
maxRows
to determine if
IsDefined
91

Advertisement

Table of Contents
loading

Related Manuals for MACROMEDIA COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION MX

Related Content for MACROMEDIA COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION MX

This manual is also suitable for:

Colfusion mx 7 - installing and using coldfusion mx

Table of Contents