Form and url variables - making them the same name

Report · Jul 14, 2009

I have a form that is entered when the user enters a part number. Inside the form, I do a bunch of query lookups using the form variabe, where partNumber = '#form.partNumber#'

However, I can also access this form from other forms, so I would then be using the url variable, where partNumber = '#url.partNumber#'

To determine whether I use the form or url variable, I pass a flag as I enter the form, and the check to determine which to use. For example, <cfif flag="form">, then where partNumber '#form.partNumber#" else where partNumber = '#url.partNumber#'

This seems to work ok, but is there a better way to do this ?

I just want to say where partNumber = '#partNumber#' and forget if it is form or url variable.

Report · Jul 14, 2009

Doing exactly what you say you want to do will actually work, but it's inefficient because cf has to figure out the scope.

If you change the method attribute on your form from post to get, you can use url variables only on your action page.

Report · Jul 14, 2009

Here is a little trick I stumbled upon; you can create FORM variables! So I use:

</cfif>

Then after that I just use the FORM variable.

What do you think?

Report · Jul 14, 2009

This is excellent. So you can only create form but not url variables ?

I tried this :

It will always give me partNumber regardless of url or form. It seems to work and has not blown up, but I am not sure. Does this make sense ?

Report · Jul 14, 2009

Actually if you use the isDefined() function of CF you don't need the flag. What you wrote works but my personal preference is to always qualify variables. In fact if you don't use either FORM.partNumber or URL.partNumber and just use partNumber CF will find it in the FORM scope or the URL scope for you. Therefore if you use the same name (partNumber) but without URL or FORM the way you are doing you don't need any of the <cfif> logic. However, if I were going to code it the way you are I would change the variable name to something like VARIABLES.partNumber. Check out "scope" in the CF documentation. Does that make sense?

Yes, you can set URL paramters too!

Report · Jul 15, 2009

And why is it that you wouldn't take Dan's advice. You want these variables in the URL scope and using the GET method instead of POST puts them there without all the processing you're using now. I'm confused.

Report · Jul 15, 2009

The biggest reason I try to not use URL parametersis that URL paramteres open you to SQL injection attacks.

Report · Jul 15, 2009

Kibbage.TEESO wrote:
The biggest reason I try to not use URL parametersis that URL paramteres open you to SQL injection attacks.

No more then Form variables do. If you think that form variables are somehow magically more secure from injection or any other type of tampering then url variables then you have a very week understanding of Internet technology.

It is no harder for me to modify a form [POST] variable then it for me to modify a url [GET] variable on any request I send to your server. If your server trusts the form variables and does not take precautions; then your application is open to SQL injuection and other hacks.

Report · Jul 15, 2009

I should clarify that it is a lot easier to add text to the URL for SQL injection than to FORM fields. This does not mean I don't check form fields. The action page of a form submission should primarily be to edit form fields.

P.S. Why are you attacking me? (you have a very week understanding of Internet technology)

Report · Jul 15, 2009

Kibbage.TEESO wrote:
P.S. Why are you attacking me? (you have a very week understanding of Internet technology)

No attack at you.

There are people who do not understand Internet technology, They do beleive that because form fields are less obvious that they are more secure. If you had beleived that, you would not have been the first person who did and I expect that there will be people in the future who hold this mistaken belief.