vchris Posted November 2, 2006 Share Posted November 2, 2006 I am creating a "New user registration" page. On this page already created users can create new users. I wanna add security by making sure the new user doesn't have the same name or username as someone already registered. I create my query to select all users username and name. My question is if I do <cfif #getUser.UserName# eq #form.uname#>WHEREgetUser = queryWill this loop through all usernames or will it only go through the first one?My guess is it will only compare with the first one and I'm gonna need to create an output and then create my cfif. Link to comment Share on other sites More sharing options...
Skemcin Posted November 2, 2006 Share Posted November 2, 2006 I am creating a "New user registration" page. On this page already created users can create new users. I wanna add security by making sure the new user doesn't have the same name or username as someone already registered. I create my query to select all users username and name. My question is if I do <cfif #getUser.UserName# eq #form.uname#>WHEREgetUser = queryWill this loop through all usernames or will it only go through the first one?My guess is it will only compare with the first one and I'm gonna need to create an output and then create my cfif.Here is how I typically do it. <cfparam name="form.username" default=""><cfparam name="form.password" default=""><cfquery name="qryCheckPassword" datasource="xxxxxx" username="xxxxxx" password="xxxxxx">SELECT *FROM abc_customersWHERE abc_username LIKE 'form.username'AND abc_password LIKE 'form.password'</cfquery><cfif qryCheckPassword.recordcount EQ 0>Username and Password combination NOT FOUND, send message to client and ask to try again. Optional:<cfset session.username=form.username>if you set session variables then you can have your login in form repopulate the form with the username to save the user time - or pass it in the url.<cfabort><cfelseif qryCheckPassword.recordcount EQ 1>LOG IN SUCCESSFUL - tell client they are in and then do all you login functions here (db update, session variables, etc.<cfelse>MULTIPLE RECORDS found - might need to do something about this - report a failure to client but send yourself an email about duplicate record<cfabort></cfif> Let me know if this helps.Basically, you should have to use a coldfusion condition to check if the form password is equal to one found when looping through a query - that takes to long (in milliseconds). Just build your query to be conditional upon what was submitted. Link to comment Share on other sites More sharing options...
vchris Posted November 2, 2006 Author Share Posted November 2, 2006 Thanks! That should fix my problem. Link to comment Share on other sites More sharing options...
Skemcin Posted November 2, 2006 Share Posted November 2, 2006 let me know if you have any other questions . . . Link to comment Share on other sites More sharing options...
vchris Posted November 3, 2006 Author Share Posted November 3, 2006 I'm currently trying your suggestion. What about if I would like to tell the user that the username, first name or last name was incorrect? How would I do that if all those fields are in 1 query?EDIT: Is there another way to do single-line if statement instead of <cfif x eq 1>asldfjldsajf</cfif> ? Link to comment Share on other sites More sharing options...
Skemcin Posted November 3, 2006 Share Posted November 3, 2006 First, if you are only asking for a username and password and the query returns no results, then you would not be have a first and last name to return to them. It is not advised to ask for a username and password and upon failure identify who just tried to log in. Meaning, you should never offer any personal information until they are successfully logged in. I could find out your first and lastname just by knowing your user id - not a good thing.In place of <cfif>, you can use <cfcase> and <cfswitch>. Its a little more complicated but not too much.What is leading you to ask about the single line <cfif> question - curiosity or some functionality you are trying to incorporate? Link to comment Share on other sites More sharing options...
vchris Posted November 3, 2006 Author Share Posted November 3, 2006 I'm not creating a user login. I'm creating a page that only registered users can access where they can create new users but if there is already a registered user with the same first name, last name or user name well I don't want the user to be able to create that new user. Just security measure against duplicate records.About the single-line if statement, I have a form with maybe 7-8 fields + 10-15 check boxes. If the user tries to create a new user but is missing a mandatory field for example well when the forms reload it's empty. I created if statements in the value attributes of the text inputs so now it automatically populates the form on submit so the user doesn't have to refill the whole form. It's in the case of the check boxes that it's a bit more complicated. I need to check if the form variable is defined and then find the check the right check boxes. So basically 2 if statements. Just trying to make it tidier. PHP and ASP have single-line if statements.EDIT: Could I have something like this? <cfif Session.UserType eq 1>'#form.utype#'<cfelse>2</cfif> on one line. I get this error: Incorrect syntax near the keyword 'VALUES'. The if statement is bolded so I guess this doesn't work. Link to comment Share on other sites More sharing options...
Skemcin Posted November 3, 2006 Share Posted November 3, 2006 Here is how I handle the situation you are speaking of.First, we have to talk conventions - I separate my action pages from my form pages:login-form.cfmlogin-authenticate.cfm(for instance)I've know developers that pup all this stuff on one page - I can't handle all the clutter - the 300 lines of code - so I separate mine.This is important since it dictates the method used to pre-populate a form on a post back. If you have all the action taking place on the same page, then I'd do this:a.) <cfparam> all form variable firstb.) write a single condition at the top of the page <cfif ISDEFINED("form.btn_submit")> where the name of the submit button is "btn_submit" and that form variable is not <cfparam>'ed. This will isoloate the code in the if statement to only run when the submit button is usedc.) write your form and have all the value attributes defined with #form.variable#. Now, for radio buttons, check boxes, and drop down values, the "selected='selected'" or the "checked='checked'" attributes WILL need to be wrapped in conditional statements like this: <input type="checkbox" name="xxxxxx" value="1"<cfif form.xxxxxx EQ 1> checked="checked"</cfif> /><input type="checkbox" name="xxxxxx" value="2"<cfif form.xxxxxx EQ 2> checked="checked"</cfif> /><input type="checkbox" name="xxxxxx" value="3"<cfif form.xxxxxx EQ 3> checked="checked"</cfif> /> If your <cfparam name="form.xxxxxx" defualt="0"> is defined at the top of the page then none will be checked. Once the form is posted back the way this is coded, then it will pre-populate the value.Try this and let me know how it works out. Link to comment Share on other sites More sharing options...
vchris Posted November 6, 2006 Author Share Posted November 6, 2006 Thanks. Do you have more information on this convention? I should be doing this. First, we have to talk conventions - I separate my action pages from my form pages:login-form.cfmlogin-authenticate.cfm(for instance) Link to comment Share on other sites More sharing options...
Skemcin Posted November 6, 2006 Share Posted November 6, 2006 Thanks. Do you have more information on this convention? I should be doing this.Funny you should ask. First, understand that I do not believe that there is any correct or incorrect naming convention out there. From my experience, I've found each developer ends up finding/creating their own. I've just always questioned how much consideration is given to any other developer. Of course, the first answer is, why should you care. Well, if you are a stand up, honest person, then you should be able to understand that you may not always be the one responsible for the code. And not caring about making the next developer is taking the low road - one I prefer to travel less. I'd rather have a favorable impression of the previous developer and have more respect for the work they did then find myself cursing them every chance I get for the mess they left.Anyhow, here is a link to a PDF file I can offer you (and anyone else interested). It is bits and pieces of stuff I've defined (for myself and any contractors I hire) over the last couple of years.Here ya go:http://www.iribbit.net/i/_files/conventions.pdf Link to comment Share on other sites More sharing options...
vchris Posted November 6, 2006 Author Share Posted November 6, 2006 Very interesting! Link to comment Share on other sites More sharing options...
vchris Posted November 6, 2006 Author Share Posted November 6, 2006 I'm used to creating 1 page with everything in it. For this project I'd like to create the page with a form and a page with the processing. How do you transfer error messages from the processing page to the form page? Session variables? Link to comment Share on other sites More sharing options...
aspnetguy Posted November 6, 2006 Share Posted November 6, 2006 I know you want to seperate your pages but when I validate a form I either use javascript to validate it before sendign it to the processing page or process on the same page to display error messages.Session variables would work but you are adding extra trips tot he server (longer load times) Link to comment Share on other sites More sharing options...
vchris Posted November 6, 2006 Author Share Posted November 6, 2006 OK. So If I do it your way I would have all the cfif in my form page and I could say that if all cfif pass then I send the user to the processing page. This would work but what about users that type in the processing page address? How could I stop them from creating their own form and submitting it to my processing form? I would need some kind of marker that says it's been submitted from that form and if not then I redirect to the form page. Any ideas how to do this? Link to comment Share on other sites More sharing options...
aspnetguy Posted November 6, 2006 Share Posted November 6, 2006 your right you could not stop that, IMO processing the form on the same page (error handling and database actions, etc) is the best way. Link to comment Share on other sites More sharing options...
Skemcin Posted November 6, 2006 Share Posted November 6, 2006 Here is how I would handle the concerns you address:a.) I always do client side form validationb.) I back up my client side validation with server side validationc.) It doesn't matter if you use page A or page B to process a form, any one can place a page on their local drive and submit to your page. All my action pages check for both a certain submit button value and for the page(domain) referrer url. This ensures that only a certain page(s) in my domain are posting to my applications.ie: http://www.iribbit.net/i/contactme-action.cfmAs for returning errors - I either use alerts on the action page or I use server side includes on the action page for error catching. I, then, either have the link that returns the user to the form look like a link or have it as an actually form button posting back to the original form page. That page, just like the action page, use the same set of <cfparam name="form.myvariable default="myvalue"> tags. It simply doesn't matter what page does the processing, the form page still has to have all the code written into it to be prepopulated.Another reason I seperate my actions from my forms is to make server log analysis much easier. I can isolate errors or slow request much easier. I don't have to think - "oh does this page have a form on it is it a post or get, how do I know if this page is showing an error for some other reason".In any respect, I mentioned that each developer has his/her own conventions. ColdFusion logic, I feel, is very easy to separate form from function and display from action. I, honestly, am not versed in asp or php enough to formulate a real evidenced based comparison. It probably still wouldn't matter since a developer is still going to do what they want.:)I can only advise you to try each way that might be presented to you and give each a fair shake. Then, adapt or modify it to suit your needs.I've got more rationale if you have more questions.:)BTW, the example I provided doesn't have the referring URL check in it - I don't think, - I'd have to check. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now