• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Lesson 17. Flash, ColdFusion, and the Da... > Improving the Security of the Applic...

Improving the Security of the Application

The application is fully functional. Still, a rather obvious security problem exists as the application currently stands. The ColdFusion scripts on dante_quiz_results.cfm that insert the data into the database and output the scores on the page both depend on the URL variables. However, the address in the URL is fully editable!

In the browser's address bar, change the score to 0, and revise the username to the email address of someone you don't like. Press Enter or Return.

The page reloads with the new data, and sure enough, your victim has been added to the database with a score of 0.

You need to find some way to get this data out of the URL.

Do you remember the earlier discussion about GET versus POST in the information about forms? With GET, data is submitted as a querystring via the URL, with POST, data is submitted in a way that it is invisible—and not editable—to the user. Ideally, we could submit the data from Flash using POST, rather than as a querystring. We can.

In Dreamweaver, open dante_quiz_questions.cfm. In Design view, click to select the gray rectangle representing the Flash movie. In the Property inspector, click the Edit button.

Flash opens, with the FLA file already active. This is a convenient shortcut. Once Flash opens, in the top-left corner, notice a Done button. When you are done making changes to the file, click this button, and Flash will regenerate a new SWF file for you and also save the FLA.

Click Frame 40 of the actions layer, and open the Actions panel. Revise the getURL() line to remove the variables, as follows:


Now, no variables will be sent, which is obviously not what you want. But you don't want them passed through the URL, so you have to remove them from there.

The getURL() method, like many Flash methods, has optional parameters in addition to its required parameter (the URL itself). The two optional parameters are target and variables. The target parameter enables you to specify which browser window you want to open the requested URL. The default is the same window that called the file, or _self. If you don't specify a parameter, Flash assumes you mean _self as the target. The other parameter, variables, causes Flash to send all of the variables on the timeline to the requested URL as part of the request. The variables parameter has only two options—GET and POST. You should recall the discussion about these two from earlier in a book, but as a quick review, GET sends the variables in the URL, while POST sends the variables as form data. So to retrieve data sent via GET in ColdFusion, you use #url.myVariable#, and to retrieve data sent via POST, you use #form.myVariable#. POST is the option you want.

The only catch is that in order to specify this variables parameter, you also have to specify the target parameter, even though the default (_self) is fine.

Revise the getURL() line one last time, as follows:

getURL("dante_quiz_results", "_self", "POST");

Don't misspell anything, or leave out any commas or quotes.

Again, this line will send all of the variables on the main timeline to dante_quiz_results.cfm using POST.

Click Done to return to Dreamweaver. Use the Files panel to upload (or put) dante_quiz.swf on the remote server.

The SWF file is re-exported and the FLA is saved. Unfortunately, the SWF is not uploaded to the server, so you have to upload that manually.

One more change is necessary. The file dante_quiz_results.cfm is expecting two URL variables—username and score. You even created bindings for them. But they won't be available any more. Instead, they'll be available as form variables. You need to update dante_quiz_results.cfm, or you will get errors.

Open dante_quiz_results. Create bindings for two form variables: username and score (username might already exist from earlier; if so, don't redefine it).

Dreamweaver now knows the data will be there, but the page is still looking for the wrong data.

In the Document window in Design view, click to select {URL.username} . In the Bindings panel, click the username variable in the Form category, and click Insert. Repeat the process to replace {URL.score} with {Form.score}.

This takes care of the <cfoutput> blocks. But don't test the file yet; remember there are two more places inside the <cfquery> block where the URL variable is used.

Switch to Code view, scroll to the top. Change #url.username# to #form.username#; likewise, change #url.score# to #form.score#.

Now the query will use available data as well.

Save and upload dante_quiz_results.cfm. Take the whole quiz again, starting from dante_quiz_login.cfm.

This time, when you get to the last page of the quiz, the username and score are both displayed and inserted into the database, but you cannot edit them via the URL.



Not a subscriber?

Start A Free Trial

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint