In addition to CF code, you may need to strip out other characters to avoid SQL hacks and such. If I can, I strip all < > ; # % * ' ( ) and , with REReplace or use REFind to detect the nasty ones and throw an error message, including sending an email message to me. < and > eliminate the functionality of <CF..>. # can be icky if it comes up in a bad place. ( and ) missing will eliminate the functionality of a CF function. ; can be used in a query to do nasty things like execute a second SQL command in your CFQuery and drop your tables. % is a sql wildcard so a user could get more returns than you want them to. , has caused me a lot of problems when I try to dump the data to a text file. * just makes me nervous. *twitch*
At 04:02 PM 12/18/01 -0700, you wrote: >I wrote a simple routine that would loop through all the form elements, >strip out HTML, and change single quotes to chr(97). It'd be easy enough to >do something similar for cfcode - just check for the <CF or specific CF >functions. A simple search/replace, or regular expression can handle this. > >If you need it, I can dig out my routine, but it's simple enough that it can >be recreated from scratch in about 30 minutes. > >Shawn Grover > >-----Original Message----- >From: Tangorre, Michael T. [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, December 18, 2001 3:38 PM >To: CF-Talk >Subject: Forms and CF Code > > >Hi Everyone. > >What steps can be taken to prevent users from submitting cfcode via a form? >Is there any tags out there that will protect? >Any ideas suggestions would be much appreciated. > >Michael T. Tangorre > >============================ >Resident Assistant - Brick >Web Applications Developer >A.U. Webteam Slave :-) >AIM: CrazyFlash4 >============================ > > > ______________________________________________________________________ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
