> I have to agree with Dave. Every possible client scope needs to be checked - > and the form scope seems rudimentary to me. Not checking the form scope is > like setting up a firewall and locking down everything except a few dozen > ports near the bottom of the stack (after all ... we rarely get attacked > from ports 10 through 30 :)
I agree you should do input validation on the form scope, but not with my script. The logic behind it looks for a semi-colon and any SQL keyword within the same form field. The likelihood that a comments field or other form field will meet the criteria is too high to use a blanket keyword scanner like this. I agree that you should validate any data you're passing to queries, regardless of the variable scope, but some methods are great for some scopes and not others given the methodology. The script can be easily modified to check the form scope as well, but you may see false positives if you do that. -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310513 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4