good code.
cfabort in application.cfm?
I think I'll do the same.
----- Original Message -----
From: "Andrew Grosset" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Saturday, December 18, 2004 4:36 PM
Subject: Re: Securing CF Apps against SQL Injection & Cross Site Scripting
> I just put the following in my application template to check all urls:
>
> <cfscript>
> tmp = urldecode(cgi.query_string);
> // remove all opening and closing tags..
> tmp = Replace(tmp, "<", "", "ALL");
> tmp = Replace(tmp, ">", "", "ALL");
>
> // remove other...
> // [ and ] have to be handled seperately
>
> other="[\(){}]";
> tmp = REReplace(tmp,other,"","ALL");
> tmp = Replace(tmp,"[","","ALL");
> tmp = Replace(tmp,"]","","ALL");
>
> tmp = Replace(tmp,"+","","ALL");
> tmp = Replace(tmp,"*","","ALL");
>
> tmp = ReplaceNoCase(tmp,"DROP","","ALL");
> tmp = ReplaceNoCase(tmp,"DELETE","","ALL");
> tmp = ReplaceNoCase(tmp,"exe","","ALL");
> </cfscript>
>
> <cfif CompareNoCase(cgi.query_string,tmp) GT 0>
>
> <!--- cfmail tag can go here...... --->
>
> <cfabort>
>
> </cfif>
>
>
> >Would you be willing to share your modded cf_codecleaner custom tag?
> >
> >Thanks!
> >MAD
> >
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Special thanks to the CF Community Suite Silver Sponsor - RUWebby
http://www.ruwebby.com
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188157
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
