Inspiring

Question

Form and url variables - making them the same name

Forum|Forum|16 years ago
July 14, 2009
3 replies
1483 views

I have a form that is entered when the user enters a part number. Inside the form, I do a bunch of query lookups using the form variabe, where partNumber = '#form.partNumber#'

However, I can also access this form from other forms, so I would then be using the url variable, where partNumber = '#url.partNumber#'

To determine whether I use the form or url variable, I pass a flag as I enter the form, and the check to determine which to use. For example, <cfif flag="form">, then where partNumber '#form.partNumber#" else where partNumber = '#url.partNumber#'

This seems to work ok, but is there a better way to do this ?

I just want to say where partNumber = '#partNumber#' and forget if it is form or url variable.

This topic has been closed for replies.

davidsimms

Inspiring

And why is it that you wouldn't take Dan's advice. You want these variables in the URL scope and using the GET method instead of POST puts them there without all the processing you're using now. I'm confused.

K

Kibbage-Data-Services

Inspiring

The biggest reason I try to not use URL parametersis that URL paramteres open you to SQL injection attacks.

ilssac

Inspiring

Kibbage.TEESO wrote:
The biggest reason I try to not use URL parametersis that URL paramteres open you to SQL injection attacks.

No more then Form variables do. If you think that form variables are somehow magically more secure from injection or any other type of tampering then url variables then you have a very week understanding of Internet technology.

It is no harder for me to modify a form [POST] variable then it for me to modify a url [GET] variable on any request I send to your server. If your server trusts the form variables and does not take precautions; then your application is open to SQL injuection and other hacks.

K

Kibbage-Data-Services

Inspiring

Here is a little trick I stumbled upon; you can create FORM variables! So I use:

</cfif>

Then after that I just use the FORM variable.

What do you think?

T

trojnfnAuthor

Inspiring

This is excellent. So you can only create form but not url variables ?

I tried this :

It will always give me partNumber regardless of url or form. It seems to work and has not blown up, but I am not sure. Does this make sense ?

K

Kibbage-Data-Services

Inspiring

Actually if you use the isDefined() function of CF you don't need the flag. What you wrote works but my personal preference is to always qualify variables. In fact if you don't use either FORM.partNumber or URL.partNumber and just use partNumber CF will find it in the FORM scope or the URL scope for you. Therefore if you use the same name (partNumber) but without URL or FORM the way you are doing you don't need any of the <cfif> logic. However, if I were going to code it the way you are I would change the variable name to something like VARIABLES.partNumber. Check out "scope" in the CF documentation. Does that make sense?

Yes, you can set URL paramters too!

D

Dan_Bracuk

Inspiring

Doing exactly what you say you want to do will actually work, but it's inefficient because cf has to figure out the scope.

If you change the method attribute on your form from post to get, you can use url variables only on your action page.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded