Secure is good. Too secure, not so good. A funny problem began happening on my bathroom vanity finder - when you selected two attributes in the same group, for example, if you selected traditional vanities and contemporary vanities in Style, it would give a JavaScript error. Now I had tested this and it had been working correctly, so i was surprised to see it was not working.
It is just a bit annoying to test this, because the vanity finder is Ajax'ed up, making it difficult to know the exact URL requested. I have a tool that shows me requests to the finder, so I did have the ability to paste the URL into a browser to see the server reply - and all I got was a blank page. That certainly explains the JavaScript error! Now, all I have to do is find that errant <cfabort> that is ending the processing of the page before it generates the response.
We all know not to pass data received from the client, like querystring variables, directly to the database without sanitization. So of course, I loop over the attributes received from the finder and ensure that they are numeric, and if they are not, I abort processing of the page. So how did this crash the vanity finder?
Usually, when you select more than one attribute, the finder will only return those with both attributes. The exception to this is if you choose more than one attribute in the same group, for example double vanities and 36" vanities, then it will show you vanities that match either one. If you add another attribute from a different group, say stone vanities, it will show you vanities that match either double or 36" AND stone. To make this a little easier on the server, the attributes are combined on the client side - attributes in different groups are separated by commas, and in the same group are separated by hyphen. This saves the server the processing of all the selected attributes to know which are inclusive and which are exclusive.
However, I kinda forgot about that when I added the test for numeric attributes. So when you selected more than one attribute in a group, isNumeric would fail, as there is a hyphen in there, and it would abort the response, leading to the JavaScript error. Real secure, wouldn't you say?
Comments