Helpful Information
 
 
Category: ColdFusion Development
default include

what is the default include page for cfm, i mean, my includes code is
<cfset GetPageContext().include("#URLDecode(URL.file)#.cfm")> and the url is http://www.mysite.com/index.cfm?file=pagename but when users type http://www.mysite.com/index.cfm i want to put a default page, how do i do that, becuase if there isint a default page, it gives an error :(

Is there a reason why you are using the getPageContext() function? This is typically used for server-side redirects or for including jsp files. What's wrong with this instead:

<cfparam name="url.file" default="defaultPageName">
<cfinclude template="#url.file#.cfm">


Personally, I see this as a massive security hole. I sure know that in my apps I would not want to let someone just call any page they want by adding it to the URL. This is especially true for MVC applications where the Model and View are callable only internally and never by an external user. But if your app is small or you aren't worried about what files they can call, then you might be OK.

Should have mentioned an even bigger problem with this setup: if the user manually edits the filename in the URL it would be possible for them to force an incude of ANY file on the system! Consider:


www.mysite.com/index.cfm?filename=../../../winnt/system.ini

Would, depending on the paths you are using, include a critical windows system file. So if you really are going to do this, you'd better rip out any offensive characters like ../ before you perform the include.

I REALLY thank you for the script kiteless, and i am aware of the ../../../winnet/system.ini but they cant do it, why? let me explain, the code u gave me it this

<cfparam name="url.file" default="defaultPageName">
<cfinclude template="#url.file#.cfm">

when the users type

www.mysite.com/index.cfm?file=../../../winnt/system.ini

it will go to www.mysite.com/index.cfm?file=../../../winnt/system.ini.cfm which doesnt exist, becuase

in the includes, it will go as

<cfparam name="url.file" default="defaultPageName">
<cfinclude template="../../../winnt/system.ini.cfm">

so i'd doubt that trick word work, but if u were talking about soemthing else, can u please explain, becuase i dont want ppl to access files outside the wwwroot

You are correct about the .cfm being appended to the included file, which would make it harder for a malicious user to get at files out fo the web root....but still, to me, this is too close for comfort.

You could do something like replaceNoCase( url.file, '../', '', 'All' ) to manually replace those characters.

Still, overall using this technique of specifying the file to include is more trouble than it is worth. There's no modularity. In order to properly separate your data from the presentation you're going to have to do a good bit of manual work.

Look at Fusebox. In fact, the beta of Fusebox 4 is nearly over, and Fusebox 4 is sweet as hell. Take a look at beta.fusebox.org, and learn about Fusebox at www.fusebox.org and www.techspedition.com.

regards,

Brian










privacy (GDPR)