[thelist] CF: source of POST variables

Raymond Camden jedimaster at macromedia.com
Fri Aug 2 08:28:02 CDT 2002


Examine the CGI scope, but as you indicate, it's not 100% secure. Thing
is - you will _never_ be able to 100% trust the post since, in theory, a
person could fake all the CGI variables.
=======================================================================
Raymond Camden, ColdFusion Jedi Master for Macromedia

Email    : jedimaster at macromedia.com
Yahoo IM : morpheus

"My ally is the Force, and a powerful ally it is." - Yoda

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org] On Behalf Of jon steele
> Sent: Friday, August 02, 2002 8:52 AM
> To: TheList Evolt
> Subject: [thelist] CF: source of POST variables
>
>
> Hi,
>
> I need to know the source of the POST variables available on
> a certain page. I need to ensure that
> my receipt script only executes if the user validly submitted
> a form (and not mimiced the form and
> just posted the variables to the receipt script).
>
> HTTP_REFERER is pretty unreliable for this scenario, because
> of its dependency on the browser.
>
> Is there a ColdFusion variable indicating where the POST
> variables were, well, posted from?
>
> This seems like a pretty common issue...is there another
> method I can use to acheive the same
> level of security? I know one way would be to create a
> unique, random, identifier, store it
> somewhere (db, session variables...etc?), place it in a
> hidden form field, and then on the receipt
> page verify and disable the id. Any other more simple,
> elegant solutions? :)
>
> Thank you greatly in advance.
> Jon
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
> --
> For unsubscribe and other options, including
> the Tip Harvester and archive of thelist go to:
> http://lists.evolt.org Workers of the Web, evolt !
>





More information about the thelist mailing list