Manualshelf

System information

ManualsBrandsMACROMEDIA ManualsOtherCOLDFUSION MX 61-CFML
919293949596979899100
92 Chapter 8: Lesson 5: Creating a Trip Detail Page
If a user called the Trip Detail page using the following statement:
http://localhost/cfdocs/getting_started/my_app/tripdetail.cfm?ID=24;DROP+trips
the SQL database management system executes the proper SQL SELECT statement, and then
immediately erases the Trips table from the database.
Protecting your application
To ensure that your application is protected from such an attack, you can exploit the fact that the
ID must be a numeric value. The CFML
Val function returns the numeric value at the beginning
of a string expression. You can use the
Val function as follows:
<cfif IsDefined("URL.ID")>
WHERE tripID = #Val(URL.ID)#
</cfif>
If nonnumeric data is passed within the URL ID field, the Val function returns 0, and the trip
with ID 0 appears (if one exists). If the user enters the previously cited URL
(http://localhost/cfdocs/getting_started/my_app/tripdetail.cfm?ID=24;DROP+trips), the
application ignores the non-numeric values and displays the trip information of trip ID 24.
Warning: The exercises in this tutorial ignore the dynamic SQL risk from attack. To eliminate this risk,
you should use ColdFusion functions (such as
Val) to perform type checking on all URL parameters.
For queries, you can also use the
cfqueryparam tag, which is explained in CFML Reference.
Exercise 3: Linking the Trip Search Results page with the Trip
Detail page
In this exercise, you will modify the Trip Search Results page to let the user view the details of any
trip. To do this, you will convert each trip name entry in the results page to a link, which will
display the trips detailed information in the detail page.
Use the following steps to link the Trip Search Results page (tripsearchresult.cfm) to the Trip
Detail page (tripdetail.cfm).
To create links between the Trip Search Results page and the Trip Detail page:
1.
Open the tripsearchresult.cfm file from the my_app directory.
2.
Replace #tripName# in the cfoutput block with the following code:
<a href="tripdetail.cfm?ID=#URLEncodedFormat(tripID)#">#tripName# </a>
Note: The
URLEncodedFormat is a ColdFusion function that returns a URL-encoded string. Spaces
are replaced with %20, and nonalphanumeric characters with equivalent hexadecimal escape
sequences. The function lets you pass arbitrary strings within a URL, because ColdFusion
automatically decodes URL parameters that are passed to the page.
3.
Save the file.