>- see footer for list info -< htmleditformat() You can format your user response with this before it goes into the db, then it will render harmless any scripting hacks. U can also use it to display stuff, and it keeps the rborwser safe.
also look into cfqueryparam tag. by putting in the expected data type, that will prevent sql injection attacks. Those do t he real damage. On Mon, 31 Jan 2005 13:46:41 -0600, Peter Donahue <[EMAIL PROTECTED]> wrote: > >- see footer for list info -< > > Hello everyone, > > I'm working on a Cf Website for an organization I belong to that is > scheduled to go on-line on July 1 of this year. I did this as a class > project last semester. The site contains a Microsoft Access Database for > displaying guestbook information. It also allows visitors to post > information to the guestbook via several XHTML forms. Because I had taken on > such an advanced project for my final exam assignment the instructor decided > to point out some volnurabilities of this guestbook by hacking in to it > during our final exam show and tell. He did this by entering HTML and XHTML > tags in to the form fields, and made a real mess of things. I fixed things > later that day. He told me that there is some code one must enter on form > pages that prevents data entered as HTML, or XHTML tags from being > interpretted as such preventing damage to the database, and giving hackers a > field day. He said that it was some kind of formatting protocol which > enhances security on such pages, but I don't have the specific code, or know > how to set it up. If one of you can help me out with this I'll appreciate > that very much. The site is located at: > http://www.nfb-travel.org/nfb-travel.cfm > > This is a link that allows you to bipass the home page which is an under > construction notice. Please feel free to check out these pages, and let me > know what to do to hack proof those data entry pages. By the way I earned > an A in that course. Over here an A is the highest letter grade one can > earn in a class. Thanks in advance. > > Peter Donahue > > _______________________________________________ > > For details on ALL mailing lists and for joining or leaving lists, go to > http://list.cfdeveloper.co.uk/mailman/listinfo > > -- > CFDeveloper Sponsors:- > >- Hosting provided by www.cfmxhosting.co.uk -< > >- Forum provided by www.fusetalk.com -< > >- DHTML Menus provided by www.APYCOM.com -< > >- Lists hosted by www.Gradwell.com -< > >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -< > _______________________________________________ For details on ALL mailing lists and for joining or leaving lists, go to http://list.cfdeveloper.co.uk/mailman/listinfo -- CFDeveloper Sponsors:- >- Hosting provided by www.cfmxhosting.co.uk -< >- Forum provided by www.fusetalk.com -< >- DHTML Menus provided by www.APYCOM.com -< >- Lists hosted by www.Gradwell.com -< >- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
