I sometimes replace < and > with < & > , which pretty similar to using
htmleditformat() I think.
This stops any code being executed when it is displayed from the database at
least.
Not sure if it's possible to do damage with malicious code in the sql insert
statement,
eg.
insert into table1
(Var1)
values
('#form.var1#')
I can't see how a mailicous value for form.var1 would cause damage? Maybe
I'm wrong.
Why don't you actually try to insert code which will execute when displayed?
Once you have figured out how that works, try and stop it working.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 27 February 2001 19:11
To: CF-Talk
Subject: data insert & security issues
If I am allowing users to insert data into a db via a text area in a form
what kind of security issues does that raise? And does anyone have
recommendations
for how to handle those issues?
--
iWon <http://www.iwon.com/> - Voted the #1 portal on the Web!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
