Using URL Variables | Macromedia ColdFusion MX 7 Certified Developer Study Guide

Using `URL` Variables

So far, we have passed only static URL variables. The values of static variables remain constant. What is far more useful to you as a ColdFusion developer is to create dynamic URL variables, which are usually generated from the results of a database query.

NOTE

It is worth noting that URL is actually a ColdFusion structure, and URL variables may there be accessed as structure members. Chapter 15, "Structures," reviews structures in detail.

The following example creates a page that queries all the countries from the database. Each country name is displayed as a link. When a link is clicked, the user is sent to the corresponding target page, which displays the names of all employees in that country.

The following query pulls all the country names out of the database:

 <cfquery name="GetCountries"          datasource="Employees"> SELECT * FROM Countries </cfquery>

TIP

Some databases pad retrieved data to column width. To avoid filling URLs with blank spaces, use the TRim() function to remove leading and trailing whitespace.

You can then use the results of this query to print the names of all the countries as HTML links:

 <cfoutput query="GetCountries"> <a href="index.cfm?CID=#CountryID#">#CountryName#</a><br> </cfoutput>

TIP

Long documents often use URL bookmarks, which are links presented in a list at the top of a document. When clicked, these bookmarks jump the user down the page to a specific location. Creating these bookmarks involves first naming the points to which you would jump by using the <a name="somename"> syntax. To create the URL bookmark to reference that location, you use the syntax <a href="#somename">. Note the use of the number sign (#) to tell the browser to jump to the spot on the page with the specified name. If you were dynamically generating this list of URL bookmarks, the # would be located inside the <cfoutput> tags and would cause the ColdFusion server to throw an error message essentially stating that it doesn't understand the use of the #. To correct this syntax, you would have to escape the #, thereby rendering it usable by the ColdFusion server. To escape a #, you double it. The correct code would read <a href="##somename">.

As each country name is printed, its associated country ID is coded as a URL variable called CID. When the user clicks any of the links, the country ID associated with the country name on which he or she clicked is passed to the target page. That target page can now use the country ID to query the database for more specific information.

The following query uses the country ID, passed in the variable URL.CID, to query the database for all the employees in that country:

 <cfquery name="GetEmployees"          datasource="Employees"> SELECT * FROM Employees WHERE CountryID = #URL.CID# </cfquery>

Passing the primary key field of a database table is very useful for affecting the results of the target page.

CAUTION

As a rule, passing primary keys as URL parameters is dangerous, as it allows URL tampering to occur. At a minimum, this could allow a user to change a URL to refer to another record, and depending on the database drivers used, it could also allow users to create malicious SQL statements.

Chapter 47, "Advanced Database Features," discusses using bind parameters and the <cfqueryparam> tag. This tag will also protect you from the potential security issue mentioned earlier.