Manualshelf

Programming instructions

ManualsBrandsMACROMEDIA ManualsComputer equipmentCOLDFUSION 5 - INSTALING AND CONFIGURING SERVER
919293949596979899100
Enhancing the Trip Maintenance application 89
Protecting your application
To ensure that your application is protected from such an attack, you can exploit the fact
that the ID must be a numeric value. The CFML
Val function returns the numeric value
at the beginning of a string expression. You can use the
Val function as follows:
<cfif IsDefined("URL.ID")>
WHERE tripID = #Val(URL.ID)#
</cfif>
Now if non-numeric data is passed within the URL ID field, the Val statement returns 0,
and the trip with ID 0 displays (if one exists). If the user enters the previously cited URL
(
http://localhost/cfdocs/getting_started/my_app/tripdetail.cfm?ID=24;DROP+trips),
the application ignores the non-numeric values and displays the trip information of trip
ID 24.
Warning: The exercises in this tutorial ignore the dynamic SQL risk from attack. You must
use the Val function in your applications to eliminate the risk.
Linking the Search Results page to the Trip Detail page
In the next exercise you will modify the Trip Search Results page to let the user view the
details of any trip. To do this, you will convert the trip name entries in the results page to
links, which will display the trips detailed information in the detail page.
Exercise: linking the Search Results page with the Trip Detail page
Use the following steps to link the Trip Search Results page (tripsearchresult.cfm) to the
Trip Detail page (tripdetail.cfm).
To create links between pages:
1 Open the tripsearchresult.cfm page from the my_app directory and replace the
#tripName# in the cfoutput block with the following code:
<a href="tripdetail.cfm?ID=#URLEncodedFormat(tripID)#">
#tripName# </a>
Note: The URLEncodedFormat is a ColdFusion function that returns a URL-encoded
string. Spaces are replaced with %20, and nonalphanumeric characters with equivalent
hexadecimal escape sequences. The function lets you pass arbitrary strings within a
URL, because ColdFusion automatically decodes URL parameters that are passed to
the page.
2 Save the file and view the tripsearch.cfm page from the my_app directory in your
browser.