Casey, the best way to avoid this problem is to use cfqueryparam within your
SQL.
If you want to modify the form, url etc to make sure no mal code is
including you can loop throught the structure like so.
I use this to trim submissions but you can modify to remove specials
characters.
<cfloop collection="#form#" item="i">
<cfset form[i]=trim(form[i])>
</cfloop>
============================================
Bryan F. Hogan
Director of Internet Development
Macromedia Certified ColdFusion MX Developer
Digital Bay Media, Inc.
1-877-72DIGITAL
============================================
-----Original Message-----
From: Casey C Cook [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 09, 2002 10:52 AM
To: CF-Talk
Subject: SQL Insertion attacks
I remember a couple threads about this topic, however, I never have any
luck with the archives. What approaches have you taken to stop SQL
insertion attacks. Our current thinking is to check for a set of certain
characters (*,',&, etc) and make the user removes those characters before
submitting a template. One of my questions regarding this approach is: Can
you loop through each input form field (in javascript? in coldfusion?) in
some sort of array that contains form variables and ensure all potentially
malicious characters are removed before form submission? What I am trying
to avoid is checking each form field separately and I would like the code
to be portable to many applications, hopefully in a cfinclude on each page
that contains input fields. Your input/help is greatly appreciated.
Thanks!
Casey Cook
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
