Filtering Form Input??
I've written a function that includes the following commands: // replace single quotes (') - for entry into SQL Server TargString = REReplaceNoCase(TargString, ['], chr(96), ALL); // Replace with [ TargString = REReplaceNoCase(TargString, [], [, ALL); // Replace with ] TargString = REReplaceNoCase(TargString, [], ], ALL); This makes any user inputed data safe for data entry, and for display. The data in question would be inserted into the database, and used for display purposes. So, we need to handle single quotes, and angle brackets at a minimum. We decided to use chr(96) for the single quotes because we have a number of stored procedures which dynamically generate their SQL statements, and found quotes in the strings can cause trouble. The angle brackets are somewhat troublesome, because we have run into situations in which authorized users can enter a formula (these would be people who know what they are doing). So straight conversion to the 'gt;' or 'lt;' strings doesn't quite work out. Using the square brackets at least gives the end user an idea of what is supposed to be there. Is there a better way to go about this? Have I missed any other special characters that can break a database or output? Thanks for any response. Shawn Grover ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Filtering Form Input??
I've written a function that includes the following commands: // replace single quotes (') - for entry into SQL Server TargString = REReplaceNoCase(TargString, ['], chr(96), ALL); // Replace with [ TargString = REReplaceNoCase(TargString, [], [, ALL); // Replace with ] TargString = REReplaceNoCase(TargString, [], ], ALL); I know this makes any user inputed data safe for data entry, and for display. The data in question would be inserted into the database, and used for display purposes. So, we need to handle single quotes, and angle brackets at a minimum. We decided to use chr(96) for the single quotes because we have a number of stored procedures which dynamically generate their SQL statements, and found quotes in the strings can cause trouble. The angle brackets are somewhat troublesome, because we have run into situations in which authorized users can enter a formula (these would be people who know what they are doing). So straight conversion to the 'gt;' or 'lt;' strings doesn't quite work out. Using the square brackets at least gives the end user an idea of what is supposed to be there. Is there a better way to go about this? Have I missed any other special characters that can break a database or output? Thanks for any response. Shawn Grover ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists