Hi Folks I have several large forms connected to mySql tables. I use <cfqueryparam when querying and inserting data from the form after it has been validated for content that I need (no blank fields etc.)
I created the following validation to check for scripts etc being injected. Is there anything else I should check for that would indicate someone was hacking the page. Thanks Rob <cfloop index="checkVariables" list="#user#, #upDate#, #parts#, #workshopCode1#, #workshopCode2#, #workshopCode3#, #programCode#" delimiters = ","> <cfif REFind('[~^*+={}|\\/\[\]<>]', checkVariables)> <cfset badCharacter="yes"> <cfset errorData="<h3>You have an illegal character ""~^*+={}|\/<>"" in one of the fields</h3>"> </cfif> <cfif REFindNoCase('onClick|onDblClick|onKeyDown|onKeyPress|onKeyUp|onMouseDo wn|onMouseOut|onMouseUp|onMouseOver| onBlur|onChange|onFocus|onSelect', checkVariables)> <cfset badEvent="yes"> <cfset errorData="<h3>You have an illegal event in one of the fields</h3>"> </cfif> <cfif REFindNoCase('script|object|applet|embed|form|layer|frame|frameset|param|m eta|.exe|.bat', checkVariables)> <cfset badAction="yes"> <cfset errorData="<h3>You have an illegal action ""script, object, applet, embed, form, layer, frame"" in one of the fields</h3>"> </cfif> <cfif REFindNoCase('append|delete|char|declare|cast|execute|sp_sqlExecute|select|in sert|update|drop|alter', checkVariables)> <cfset badSql="yes"> <cfset errorData="<h3>You have an illegal database action ""append, delete, declare, cast, execute, sp_sqlExecute, select, insert, update, drop, alter"" in one of the fields</h3>"> </cfif> </cfloop> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341240 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm