yes. You are invulnerable to sql injection if you use it on all of
your inputs. As in from-the-planet-Krypton invulnerable.
What other best practices are there to ensure nothing can happen?
Unplug your web server from the internet and turn it off.
No, seriously, there is no way you can be absoultely secure. You can
do your due diligence but you will never be safe from *everything* a
determined attacker will throw at you.
Some other things you can do are scrub your url parms for funny stuff.
In the most recent discussion on this Jochem mentioned that simply
plugging in htmleditformat() around your vars will proof them agaist
cross-site scripting. I toss this into Application.cfm.
<cfif Len(Trim(cgi.query_string)) gt 0>
<cfset variables.QueryDelim = "?">
<cfelse>
<cfset variables.QueryDelim = "">
</cfif>
<cfset variables.thisURLVar=cgi.script_name&variables.QueryDelim&urldecode(cgi.query_string)>
<CF_CodeCleaner
input="#variables.thisurlvar#"
r_output="myURL">
<cfif CompareNoCase(variables.thisURLVar,variables.myURL)>
<cfheader statuscode="500" statustext="Server Error">
<cfabort>
</cfif>
This uses a custom tag you can get out of the DevEx and may be
overkill. Still, it only eats about 10ms per page view and brings a
beatific albeit somewhat vacant look into my eyes.
You can also test for a valid referer on your forms, but those can be
easily faked by anyone who is serious. The only way to put that one
to bed is to use those graphical thingies on a form where a human user
has read it and type in the letters in the graphic. I forget what
they are called.
Is it Friday yet? Gawd what a day...
--
--Matt Robertson--
MSB Designs, Inc.
mysecretbase.com
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
