Hi Folks
I have several large forms connected to mySql tables.
I use <cfqueryparam when querying and inserting data from the form after it has
been validated for content that I need (no blank fields etc.)
I created the following validation to check for scripts etc being injected.
Is there anything else I should check for that would indicate someone was
hacking the page.
Thanks
Rob
<cfloop index="checkVariables"
list="#user#,
#upDate#,
#parts#,
#workshopCode1#,
#workshopCode2#,
#workshopCode3#,
#programCode#"
delimiters = ",">
<cfif REFind('[~^*+={}|\\/\[\]<>]', checkVariables)>
<cfset badCharacter="yes">
<cfset errorData="<h3>You have an illegal character ""~^*+={}|\/<>""
in one of the fields</h3>">
</cfif>
<cfif
REFindNoCase('onClick|onDblClick|onKeyDown|onKeyPress|onKeyUp|onMouseDo
wn|onMouseOut|onMouseUp|onMouseOver|
onBlur|onChange|onFocus|onSelect', checkVariables)>
<cfset badEvent="yes">
<cfset errorData="<h3>You have an illegal event in one of the
fields</h3>">
</cfif>
<cfif
REFindNoCase('script|object|applet|embed|form|layer|frame|frameset|param|m
eta|.exe|.bat', checkVariables)>
<cfset badAction="yes">
<cfset errorData="<h3>You have an illegal action ""script, object,
applet,
embed, form, layer, frame"" in one of the fields</h3>">
</cfif>
<cfif
REFindNoCase('append|delete|char|declare|cast|execute|sp_sqlExecute|select|in
sert|update|drop|alter', checkVariables)>
<cfset badSql="yes">
<cfset errorData="<h3>You have an illegal database action ""append,
delete, declare, cast, execute, sp_sqlExecute, select, insert, update, drop,
alter""
in one of the fields</h3>">
</cfif>
</cfloop>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341240
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
