effectively the same on a Username field
BUT, if you do that, it means that people can't use any of those layouts
on their entries on the forms, if you're using TEXTAREAs
> From: Paul Vernon
>
> I've just been playing around with some ideas for cleansing
> URLs especially with regards to the injection of SQL code and
> I came up with the following piece of code on my test rig:
>
> <cfloop collection="#URL#" item="field">
> <cfset tmp = REReplaceNoCase(trim(evaluate("URL."&
> field)), "\;(.*)(SELECT|DROP|UPDATE|DELETE|TRUNCATE)(.*)$",
> "", "ALL")>
> <cfif CompareNoCase(tmp, trim(evaluate("URL."& field))) NEQ 0>
> <cfthrow type="URLCleanser" message="Unsafe
> data detected in URL">
> </cfif>
> </cfloop>
>
> Other than the fact that I haven't added in all the SQL
> keywords that I intend to look for, are there any obvious
> flaws in using this approach to look for SQL code injections?
>
> I know I can (and I do) use Val() and/or CFQUERYPARAM to
> validate values when I'm actually at the point of doing a
> query but, running this code (or something like it) before I
> get anywhere near a query is a far better option IMO.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
