Edit table row in ColdFusion

Question

I use cftable or cfloop to output a table of items in ColdFusion. But what is the right way to call the editor page on clicking one of table rows?

Here is the code:

<table class="grid">
<tr>
    <th>id</th>
    <th>Date</th>
    <th>Description</th>
    <th>Status</th>
    <th>Urgency</th>
    <th>Severity</th>
</tr>
<cfloop query="GetIssues">
<tr>
    <td><cfoutput>#id#</cfoutput></td>
    <td><cfoutput>#CreatedOn#</cfoutput></td>
    <td><cfoutput>#ShortDesc#</cfoutput></td>
    <td><cfoutput>#Status#</cfoutput></td>
    <td><cfoutput>#Urgency#</cfoutput></td>
    <td><cfoutput>#Severity#</cfoutput></td>
</tr>
</cfloop>
</table>

I could use a href to make GET request to editor page, but is it the right/safe way?

Answer 1

You can certainly create a link to the editor page and pass the ID, however, if your IDs are numeric, it will be easy for nefarious users to guess the ID of another item. To mitigate this issue, I tend to use UUIDs for my IDs. It is extremely difficult to guess at the ID of another element.

Also, it is better to wrap the cfloop in a cfoutput, rather than wrapping each td - and you should scope your variable names.

For example:

<cfoutput>
    <cfloop query="GetIssues">
      <tr>
        <td><a href="edit.cfm?id=#GetIssues.id#">#GetIssues.id#</a></td>
        <td>#GetIssues.CreatedOn#></td>
        <td>#GetIssues.ShortDesc#</td>
        <td>#GetIssues.Status#</cfoutput></td>
        <td>#GetIssues.Urgency#</cfoutput></td>
        <td>#GetIssues.Severity#</td>
      </tr>
    </cfloop>
</cfoutput>