Unless you were using evaluate (column) name inside another query somewhere I am not aware of how that could be used for an injection On Aug 15, 2014 1:51 PM, "Stephens, Larry V" <steph...@iu.edu> wrote:
> > Using information from a Ben Nadel atricle, jsStringFormat( > htmlEditFormat()) seems to be catching insertions like <b> and escaping > them. > > However, I have tried a number of regex routines from > http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks > plus another from a CF article that I can't place at the moment, to catch > statements like "select * from tblX" inserted into a text field. None of > them seem to work. > > The number of articles and pages making recommendations and giving > examples is overwhelming. Can someone provide a suggestion for protecting a > site in addition to what I got from Nadel and using ScriptProtect? > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359120 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm