This is a common problem, there are a couple of ways of getting round this:
1) instead of your JavaScript files being .js they can be .cfm and you can check a referrer. The referrer will be the page that is calling the JS. If the user calls that page directly, write some code that displays nothing. There are some caveats around this but it works most of the time. 2) Even in the earliest of web scripts (FormMail.pl) it has been a good idea to check your referer to your scripts, at least the domain, if not, the actual page. I know this can be spoofed etc but at least you have some protection from most common attacks. HTH MD On 03/01/06, Bryan Stevenson <[EMAIL PROTECTED]> wrote: > > You could use cfqueryparam or cfqueryparam or even cfqueryparam and, on > > occasion, cfqueryparam but personally... I'd use cfqueryparam. ;-) > > well yes of course you should always use CFQUERYPARAM...BUT that doesn't stop > soemone from faking a form post to add/edit/delete data (i.e. not a SQl > injection attack...just messing with your data using valid interfaces and a > faked form post). > > .....but yeah....my head is now re-attached and functioning properly ;-) > > Cheers > > Bryan Stevenson B.Comm. > VP & Director of E-Commerce Development > Electric Edge Systems Group Inc. > phone: 250.480.0642 > fax: 250.480.1264 > cell: 250.920.8830 > e-mail: [EMAIL PROTECTED] > web: www.electricedgesystems.com > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:228331 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
