Table of Contents
Advertisement
If a user called the Trip Detail page using the following statement:
http://localhost/cfdocs/getting_started/my_app/tripdetail.cfm?ID=24;DROP+trips
the SQL database management system executes the proper SQL SELECT statement, and then
immediately erases the Trips table from the database.
Protecting your application
To ensure that your application is protected from such an attack, you can exploit the fact that the
ID must be a numeric value. The CFML
of a string expression. You can use the
<cfif IsDefined("URL.ID")>
WHERE tripID = #Val(URL.ID)#
</cfif>
If nonnumeric data is passed within the URL ID field, the
with ID 0 appears (if one exists). If the user enters the previously cited URL
(http://localhost/cfdocs/getting_started/my_app/tripdetail.cfm?ID=24;DROP+trips), the
application ignores the non-numeric values and displays the trip information of trip ID 24.
Warning: The exercises in this tutorial ignore the dynamic SQL risk from attack. To eliminate this risk,
you should use ColdFusion functions (such as
For queries, you can also use the
Exercise 3: Linking the Trip Search Results page with the Trip
Detail page
In this exercise, you will modify the Trip Search Results page to let the user view the details of any
trip. To do this, you will convert each trip name entry in the results page to a link, which will
display the trip's detailed information in the detail page.
Use the following steps to link the Trip Search Results page (tripsearchresult.cfm) to the Trip
Detail page (tripdetail.cfm).
To create links between the Trip Search Results page and the Trip Detail page:
Open the tripsearchresult.cfm file from the my_app directory.
1.
Replace
2.
#tripName#
<a href="tripdetail.cfm?ID=#URLEncodedFormat(tripID)#">#tripName# </a>
Note: The
URLEncodedFormat
are replaced with %20, and nonalphanumeric characters with equivalent hexadecimal escape
sequences. The function lets you pass arbitrary strings within a URL, because ColdFusion
automatically decodes URL parameters that are passed to the page.
Save the file.
3.
92
Chapter 8: Lesson 5: Creating a Trip Detail Page
function returns the numeric value at the beginning
Val
function as follows:
Val
Val
tag, which is explained in CFML Reference.
cfqueryparam
in the
block with the following code:
cfoutput
is a ColdFusion function that returns a URL-encoded string. Spaces
function returns 0, and the trip
Val
) to perform type checking on all URL parameters.
Advertisement
Table of Contents
Related Manuals for MACROMEDIA COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION MX
Related Products for MACROMEDIA COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION MX
- MACROMEDIA COLDFUSION MX 7.0.2-USING COLDFUSION MX WITH FLEX 2
- MACROMEDIA COLFUSION MX 7-MIGRATING APPLICATIONS TO COLDFUSION MX 7
- MACROMEDIA 38000382 - Macromedia JRun - Mac
- MACROMEDIA 38028779 - Macromedia Dreamweaver - Mac
- MACROMEDIA BREEZE
- MACROMEDIA BREEZE 5
- MACROMEDIA BREEZE 5-MANAGER
- MACROMEDIA Breeze Edge Server
- MACROMEDIA Breeze Live
- MACROMEDIA BREEZE PRESENTER
- MACROMEDIA BREEZE-CLUSTERING BREEZE LIVE
- MACROMEDIA BREEZE-CLUSTERING BREEZE PRESENTATION PLATFORMS
- MACROMEDIA BREEZE-FOR MEETING PARTICIPANTS
- MACROMEDIA BREEZE-FOR MEETING PRESENTERS
- MACROMEDIA BREEZE-MANAGING EXTERNAL BREEZE REPORTS
- MACROMEDIA BREEZE-SECURITY
Need help?
Do you have a question about the COLFUSION MX 7-GETTING STARTED BUILDING COLDFUSION MX and is the answer not in the manual?
Questions and answers