RE: Troublesome or Dangerous Form Submission Characters for SQL
Nothing if you're using queryparam/SPs, however on pulling the data back out double quotes may cause you trouble in text inputs(or single quotes if that's how you delimit your attributes in HTML). Use HTMLEditFormat() to solve the problem with double quotes. Ade -Original Message- From: Mike Chabot [mailto:[EMAIL PROTECTED] Sent: 03 March 2005 19:03 To: CF-Talk Subject: Troublesome or Dangerous Form Submission Characters for SQL Are there any characters that a user could enter into a textarea form field that I should strip out before inserting the value into an MS SQL Server varchar field? Could these characters cause problems? semi-colon,,*,+,-,--,?,%,_. To prevent SQL injection, I could strip out truncate, drop, insert, update, delete, and '--.' However, queryparam and the use of stored procedures should prevent SQL injection. Thank you, Mike Chabot -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 02/03/2005 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197311 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Troublesome or Dangerous Form Submission Characters for SQL
Thanks for the tip about the double quotes. I am concerned that some people who enter in the text field will see the five character HTML-safe equivalent when they go to edit the value because of the HtmlEditFormat function. IE 6 does not seem to have this problem. Are there any browsers that display the contents of the value attribute literally, instead of properly interpreting the HTML-safe code? Similarily, when I submit a field who's value attribute equals an expanded HTML-safe code, CF receives the interpreted, single-character, value (actually %26 for amp; if you look at the headers). Are there any browsers that do not do this? As a general rule, should I wrap HtmlEditFormat around all form field values. For example: input type=text value=#HtmlEditFormat(form.fieldname)#. Thank you, Mike Chabot On Thu, 3 Mar 2005 19:09:02 -, Adrian Lynch [EMAIL PROTECTED] wrote: Nothing if you're using queryparam/SPs, however on pulling the data back out double quotes may cause you trouble in text inputs(or single quotes if that's how you delimit your attributes in HTML). Use HTMLEditFormat() to solve the problem with double quotes. Ade ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197322 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Troublesome or Dangerous Form Submission Characters for SQL
I would. Knock up a quick example param myInput form input text myInput value=#FORM.myInput# submit /form Submit HellaCool and it should drop the Cool. Try it with HTMLEditFormat() on as many browsers as you can and chances are it'll be consistent on all of them. Ade -Original Message- From: Mike Chabot [mailto:[EMAIL PROTECTED] Sent: 03 March 2005 20:10 To: CF-Talk Subject: Re: Troublesome or Dangerous Form Submission Characters for SQL Thanks for the tip about the double quotes. I am concerned that some people who enter in the text field will see the five character HTML-safe equivalent when they go to edit the value because of the HtmlEditFormat function. IE 6 does not seem to have this problem. Are there any browsers that display the contents of the value attribute literally, instead of properly interpreting the HTML-safe code? Similarily, when I submit a field who's value attribute equals an expanded HTML-safe code, CF receives the interpreted, single-character, value (actually %26 for amp; if you look at the headers). Are there any browsers that do not do this? As a general rule, should I wrap HtmlEditFormat around all form field values. For example: input type=text value=#HtmlEditFormat(form.fieldname)#. Thank you, Mike Chabot On Thu, 3 Mar 2005 19:09:02 -, Adrian Lynch [EMAIL PROTECTED] wrote: Nothing if you're using queryparam/SPs, however on pulling the data back out double quotes may cause you trouble in text inputs(or single quotes if that's how you delimit your attributes in HTML). Use HTMLEditFormat() to solve the problem with double quotes. Ade -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.6.0 - Release Date: 02/03/2005 ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197403 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54