good code. cfabort in application.cfm? I think I'll do the same. ----- Original Message ----- From: "Andrew Grosset" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Saturday, December 18, 2004 4:36 PM Subject: Re: Securing CF Apps against SQL Injection & Cross Site Scripting
> I just put the following in my application template to check all urls: > > <cfscript> > tmp = urldecode(cgi.query_string); > // remove all opening and closing tags.. > tmp = Replace(tmp, "<", "", "ALL"); > tmp = Replace(tmp, ">", "", "ALL"); > > // remove other... > // [ and ] have to be handled seperately > > other="[\(){}]"; > tmp = REReplace(tmp,other,"","ALL"); > tmp = Replace(tmp,"[","","ALL"); > tmp = Replace(tmp,"]","","ALL"); > > tmp = Replace(tmp,"+","","ALL"); > tmp = Replace(tmp,"*","","ALL"); > > tmp = ReplaceNoCase(tmp,"DROP","","ALL"); > tmp = ReplaceNoCase(tmp,"DELETE","","ALL"); > tmp = ReplaceNoCase(tmp,"exe","","ALL"); > </cfscript> > > <cfif CompareNoCase(cgi.query_string,tmp) GT 0> > > <!--- cfmail tag can go here...... ---> > > <cfabort> > > </cfif> > > > >Would you be willing to share your modded cf_codecleaner custom tag? > > > >Thanks! > >MAD > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Silver Sponsor - RUWebby http://www.ruwebby.com Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188157 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54