[thelist] Friday Freebie

Raymond Camden rcamden at allaire.com
Wed Dec 27 10:05:40 CST 2000 

The main reason to use it would be for validation. In one line you could
both param a value and ensure that it's in the proper format. Paraming the
value to 0 is not good enough if the user changes the URL value to some
string. The value exists, but is not what you want. (I'm also assuming
everyone here knows the dangers of passing URL vars to SQL w/o validating,
if not, someone say so and I'll post about that.)

To be honest, I don't normally use TYPE="" to validate since I don't like
using CFTRY/CFCATCH to handle the errors. Plus, most of the time I not only
want to check for 'Numeric', I also want to ensure it's positive, within a
certain range, etc.

One _real_ good use of TYPE="" is for variable names. If your custom tags
allow you to define the name of the variable returned to the calling tag
(all custom tags should do this), you can use CFPARAM with TYPE="Variable"
(may be variableName) to ensure that a proper variable name was passed. It's
not _too_ hard to check for 'variable name' format, but it's much easier in
a CFPARAM.

=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Allaire

Email   : jedimaster at allaire.com
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of jeff
> Sent: Wednesday, December 27, 2000 9:30 AM
> To: thelist at lists.evolt.org
> Subject: RE: [thelist] Friday Freebie
>
>
> raymond,
>
> :~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> : From: Raymond Camden
> :
> : It _will_ throw an error, however, if url.x is not
> : a number.  Notice the TYPE= part to my code?
> : That forces the value to be a certain type.
> : Therefore, if the user mucks with the query
> : string, and changes id=5 to id=ray, they will
> : get an error. (Of course, it's their fault, but
> : normally it's better to suppress things, and
> : in this case, you may want to log an ip to a
> : security file or somesuch.)
> :~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ok, so i guess that begs the question then - why bother with the type
> attribute in this situation?  i don't see any advantage of typing it to a
> number, especially if all it will do is give the potential for an error to
> be caused.  i do like how it makes it more apparent what the variable type
> you're working with, but the default value of 0 or the Val() in the
> conditional tells me that much already.
>

More information about the thelist mailing list