Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cfparam best practice 1

Status
Not open for further replies.

ice7899

Programmer
May 14, 2006
59
GB
Is it ok to introduce a variable in a page as follows

<cfparam name="somevar" default="1">

And then update its value with links

somepage.cfm?somevar=20 etc



I have seen this quite a lot recently and I'm not sure if it is good practice. Should somevar be explicitly scoped ? <cfparam name="url.somevar" default="1">
 
It's generally recommended to always scope your variables, regardless of whether they're form, url, session, etc...

If you're using cfparam, you'll definitely want to scope it so that it knows exactly what variable to assign the value to. While it may work without a scope, it's not a good idea to do it that way. (or at least I wouldn't)

Hope This Helps!

ECAR
ECAR Technologies

"My work is a game, a very serious game." - M.C. Escher
 
What are you doing with this variable? Is it a piece of data that could be misused by a user?

For example - will bad things happen if they type
somepage.cfm?somevar=21
instead of
somepage.cfm?somevar=20

If so:
Avoid URL Variables
If you have to use them:
Encrypt before transmission using the ENCRYPT and DECRYPT functions
and
validate using CFQUERYPARAM before writing to a database.

Are you using CF7?

Cheers,

Bluetone
 
Yes I am using CF7.

Would it be a viable solution to use session variables instead of URLS. If so, is around 14 1 number or 1 word variables too many per query?
 
Definitely - SESSION variables are the way to avoid URL data transfer unless it is going to be a heavily used site and your server memory isn't of sufficient capaicity. That is rarely an issue.

That number of variables just adds to the memory load, but again, it generally isn't a problem.

Make sure you use CFLOCK around the creation and reading of session variables - Failure to do so can result in an unstable application due to memory overwrites.

Cheers,

Bluetone
 
I just read your earlier post - one other disadvantage of using URL's variables is that most search engines do not like more than 2. If you have more, it can hurt your SEO.

Cheers,

Bluetone
 
Is there a performance penalty associated with the use of CFLOCK as suggested above. If so, would this make using urls faster?
 
Unless you are using very old hardware or you have a heavily used site (several thousand concurrent visitors) that kind of minor performance tweaking isn't really necessary. I suspect passing data via URL's might be slightly faster - if security were not an issue. For example, encrypting variables is relatively time and resource intensive.

Passing data via URL's should be avoided for any environment that isn't completely trusted, i.e., any public website.

Cheers,

Bluetone
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top