Inspect Passed Data Before Using It

Everyone knows to check that URL and FORM variables exist before using them, but too many developers refer to these variables in their code without first checking their contents. Many even use these in SQL statements or other tags without first inspecting them. This is a dangerous practice and one that can leave you vulnerable to malicious damage (for example, URL variables can be tampered with) or unintentional data corruption (for example, pages may have been cached causing older values to be submitted). To check for problems you can use any of the decision functions (the ones that begin with “Is”), the search functions, or any other checks. There is overhead in checking the contents of ever passed value, but you must do it anyway. (Applies to: ColdFusion All)

Leave a Reply