In my case, I do web front ends to database applications. Some of the database allows data entry from the public (mail list sign up, etc.) I can't guarantee how the database info is going to be used in the future. But even now, a good amount of the information is retrieved and displayed to a web page - some of it within EVALUATE functions.
Therefore, stripping out unwanted code (javascript, cfcode, etc) is a good idea - unless I want some script kiddie messing around with my sites. On the otherhand, you are right. If you are simply collecting information from the website, and not using this info on the site itself, then the effort to strip this code becomes meaningless. I place my stripping functions in the application.cfm - so that every page I code is automagically protected from the script kiddies, without me having to worry about it on every page I write. (My functions loop through the Query parameters, and the form elements - guess I should include cookies in there too.) My two cents worth. Shawn Grover > -----Original Message----- > From: Raymond Camden [mailto:[EMAIL PROTECTED]] > Sent: 19 December 2001 15:44 > To: CF-Talk > Subject: RE: Forms and CF Code > > > Why would anyone need to clean cfcode? Unless you save user input to a > file and cfinclude it, it will not get executed. > > FYI, to clean HTML and stuff, look for StripHTML on cflib.org. > > ===========================================================> ======== > Raymond Camden, Principal Spectra Compliance Engineer for Macromedia > > Email : [EMAIL PROTECTED] > Yahoo IM : morpheus > > "My ally is the Force, and a powerful ally it is." - Yoda > > > -----Original Message----- > > From: Jennifer Larkin [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, December 18, 2001 7:14 PM > > To: CF-Talk > > Subject: RE: Forms and CF Code > > > > > > In addition to CF code, you may need to strip out other > > characters to avoid > > SQL hacks and such. If I can, I strip all < > ; # % * ' ( ) > > and , with > > REReplace or use REFind to detect the nasty ones and throw an error > > message, including sending an email message to me. < and > > > eliminate the > > functionality of <CF..>. # can be icky if it comes up in a > > bad place. ( and > > ) missing will eliminate the functionality of a CF function. > > ; can be used > > in a query to do nasty things like execute a second SQL > > command in your > > CFQuery and drop your tables. % is a sql wildcard so a user > > could get more > > returns than you want them to. , has caused me a lot of > > problems when I try > > to dump the data to a text file. * just makes me nervous. *twitch* > > > > At 04:02 PM 12/18/01 -0700, you wrote: > > >I wrote a simple routine that would loop through all the > > form elements, > > >strip out HTML, and change single quotes to chr(97). It'd > > be easy enough to > > >do something similar for cfcode - just check for the <CF or > > specific CF > > >functions. A simple search/replace, or regular expression > > can handle this. > > > > > >If you need it, I can dig out my routine, but it's simple > > enough that it can > > >be recreated from scratch in about 30 minutes. > > > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
