pja5362 wrote:
> If one of those form/URL variables are a condition
within a <cfif> statement, is it vulnerable to any attacks?
> Please see code examples 1 & 2.
I cannot say it is invulnerable to _any_ attacks, but #2
seems like a reasonable approach. It does not use any of the user
supplied values directly in the sql. That and the fact that you
have set up a default "cfelse" case to handle any attempts to pass
invalid values. Though personally I prefer switch/case myself. But
that is just me.
> Please see code example 3 for my first attempt at it
(which throws an error).
> <cfqueryparam cfsqltype="CF_SQL_INTEGER"
value="#NumberFormat(Shipping,'99999.99')#"/>
If your value has decimal places, then CF_SQL_INTEGER is
probably the wrong data type.
> <cfif #form.condition2# IS "less"><<cfelseif
#form.condition2# IS "exactly">=<cfelse>></cfif>
BTW, you do not need the extra # signs.
> <cfif Evaluate("Hidden_#counter#") IS "on">
> -1
> <cfelseif Evaluate("Hidden_#counter#") IS "">
> 0
> </cfif>
As an aside
1) The default <cfelse> case is missing. So the query
would fail if the value was something other than "on" or "".
2) Evaluate is probably unnecessary. You can use array
notation to reference dynamic variable names:
#FORM["hidden_"& counter]#