Hi, I'm tuning a forum (as in security checks) but i'm quite confused about how one would handle form input.
I know that one should always validate data before doing any operations with it, eg validating numbers (see also url hack). But how does one handle "plain text" ? For the "<", ">" characters would it be correct, If I state that replacing them with there html equivalent (< ) would be enough ? I've been searching the cf-talk archive and spitted out some forums (devex) (where btw I didn't even found number validation *cough* ) but to no success. I've never seen/found a way to pass in additional sql statements(or anything other for that matter) by filling out a form (aka plain text). And there's also the fact that for "SQL forum" it would be obvious that one would enter "drop table, create table,...." So what do you do then ? If anybody has any insights on this please enlighten me. BTW, I'm already using cfqueryparam in all my sql statements. Thanks alot, Joachim ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
