> Andrew Grosset wrote:
> >Works great in IE, but Mozilla Firebird ignores cfheader and displays
>
> >the page as normal...
>
> I put in <cfabort> right afterwards :D
>
> Here's the whole test I'm using. I put this into application.cfm and,
> as you say, it only eats a max of 15ms.
>
> <cfset variables.ThisURLVar=cgi.script_name&cgi.query_string>
> <CF_CodeCleaner INPUT="#variables.thisurlvar#"><cfset variables.
> Cleanurl=clean_code>
> <cfif CompareNoCase(variables.thisurlvar,variables.Cleanurl)>
> <cfheader statuscode="500" statustext="Server Error">
> <cfabort>
> </cfif>
>
>
> --
> -------------------------------------------
> Matt Robertson, [EMAIL PROTECTED]
> MSB Designs, Inc. http://mysecretbase.com
> -------------------------------------------
>
--
Yes, I did virtually the same except I modified cf_codecleaner to do the CompareNoCase within the tag, email me the details and cflocation (I'm going to make a "special" 500 page as I can't get cfheader to work with all browsers - notably cfheader, and do away with cflocation). This keeps the application.cfm less "cluttered" as I can then do all the business within one line of code in application.cfm.
Also I use #urldecode(cgi.query_string)# as otherwise %3c (percent 3 c) will not be scrubbed (also applies to all other HTML escaped encoding).
Within the script tags I also added:
// remove other...
// [ and ] have to be handled seperately
other="[\(){}]";
tmp = REReplace(tmp,other,"","ALL");
tmp = Replace(tmp,"[","","ALL");
tmp = Replace(tmp,"]","","ALL");
tmp = Replace(tmp,"+","","ALL");
tmp = Replace(tmp,"*","","ALL");
It's pretty consistant at around 15-16ms which is good.
regards, Andrew.
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
- Re: Securing CF Apps against SQL Injection ... Andrew Grosset
- Re: Securing CF Apps against SQL Inject... Andrew Grosset
- Re: Securing CF Apps against SQL Inject... Matt Robertson
- Re: Securing CF Apps against SQL I... Andrew Grosset
- Re: Securing CF Apps against S... Thomas Chiverton
- Re: Securing CF Apps against SQL Injection & Cr... Jim Louis
- Re: Securing CF Apps against SQL Injection & Cross S... Matt Robertson
- Re: Securing CF Apps against SQL Injection & Cross S... Matt Robertson
- Re: Securing CF Apps against SQL Injection & Cross S... Matt Robertson
- RE: Securing CF Apps against SQL Injection & Cr... Andrew Grosset
- RE: Securing CF Apps against SQL Injection &... Matt Robertson
- Re: Securing CF Apps against SQL Injection &... Michael Dawson
- Re: Securing CF Apps against SQL Injection ... Andrew Grosset
- Re: Securing CF Apps against SQL Inject... Eric Dawson
- RE: Securing CF Apps against SQL Injection & Cross S... Ian Vaughan
- Re: Securing CF Apps against SQL Injection & Cr... Jochem van Dieten
- RE: Securing CF Apps against SQL Injection & Cross S... Ian Vaughan
- Re: Securing CF Apps against SQL Injection & Cross S... Brandon Harper
- RE: Securing CF Apps against SQL Injection & Cross S... Dave Watts