rom: Jochem van Dieten [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 19, 2001 9:32 AM
To: CF-Talk
Subject: Re: Forms and CF Code
Shawn Grover wrote:
>
> I place my stripping functions in the application.cfm - so that every page
I
> code is automagically protected from the script ki
Shawn Grover wrote:
>
> I place my stripping functions in the application.cfm - so that every page I
> code is automagically protected from the script kiddies, without me having
> to worry about it on every page I write. (My functions loop through the
> Query parameters, and the form elements -
tions loop through the
Query parameters, and the form elements - guess I should include cookies in
there too.)
My two cents worth.
Shawn Grover
> -Original Message-
> From: Raymond Camden [mailto:[EMAIL PROTECTED]]
> Sent: 19 December 2001 15:44
> To: CF-Talk
> Subject: R
Raymond Camden wrote:
>>
>>Many people generate dynamic forms and loop over either
>>form.fieldnames
>>or the form collection to evaluate the forms that are posted
>>back. This
>>frequently involves the Evaluate() function. Something like:
>>
>>
>> other code
>>
>>
>
> This is bad
>
> > Why would anyone need to clean cfcode? Unless you save user
> input to a
> > file and cfinclude it, it will not get executed.
>
>
> Many people generate dynamic forms and loop over either
> form.fieldnames
> or the form collection to evaluate the forms that are posted
> back. This
>
Raymond Camden wrote:
> Why would anyone need to clean cfcode? Unless you save user input to a
> file and cfinclude it, it will not get executed.
That is a dangerous oversimplification.
Many people generate dynamic forms and loop over either form.fieldnames
or the form collection to evaluate
mber 2001 15:44
> To: CF-Talk
> Subject: RE: Forms and CF Code
>
>
> Why would anyone need to clean cfcode? Unless you save user input to a
> file and cfinclude it, it will not get executed.
>
> FYI, to clean HTML and stuff
k
> Subject: RE: Forms and CF Code
>
>
> In addition to CF code, you may need to strip out other
> characters to avoid
> SQL hacks and such. If I can, I strip all < > ; # % * ' ( )
> and , with
> REReplace or use REFind to detect the nasty ones and throw an e
use validation. regular expressions.
On Tue, 18 Dec 2001, Tangorre, Michael T. wrote:
> Yes, that is correct
>
>
> -Original Message-
> From: Alex [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 18, 2001 5:54 PM
> To: CF-Talk
> Subject: Re: Forms and CF
MAIL PROTECTED]
date: Tue, 18 Dec 2001 19:40:55 -0500
Yes, that is correct
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 5:54 PM
To: CF-Talk
Subject: Re: Forms and CF Code
Do you mean submit code in formfields?
On Tue, 18 Dec 2001, Tangor
Yes, that is correct
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 5:54 PM
To: CF-Talk
Subject: Re: Forms and CF Code
Do you mean submit code in formfields?
On Tue, 18 Dec 2001, Tangorre, Michael T. wrote:
> Hi Everyone.
>
> W
In addition to CF code, you may need to strip out other characters to avoid
SQL hacks and such. If I can, I strip all < > ; # % * ' ( ) and , with
REReplace or use REFind to detect the nasty ones and throw an error
message, including sending an email message to me. < and > eliminate the
functi
Do you mean submit code in formfields?
On Tue, 18 Dec 2001, Tangorre, Michael T. wrote:
> Hi Everyone.
>
> What steps can be taken to prevent users from submitting cfcode via a form?
> Is there any tags out there that will protect?
> Any ideas suggestions would be much appreciated.
>
> Michae
I wrote a simple routine that would loop through all the form elements,
strip out HTML, and change single quotes to chr(97). It'd be easy enough to
do something similar for cfcode - just check for the mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 3:38 PM
To: CF-Talk
Subject: Forms an
14 matches
Mail list logo
