Ok, point taken, I was thinking in the context of a forum application where one may have strict rules on user input and that input may go through complex validation that might be server intensive and probably would be unlikely that the data validation would require future review. If new vunerabilities were found the data could still be parsed and updated in the database once as a seperate call instead of every time it is outputed. The primary objective should be as Dave said: "deny all, then allow".
Andrew >As Brad pointed out, who's to say what's junk? It is impossible, practically >speaking, to identify every possible "bad character" that may exist in your >data, and you may want to use that data in different ways and different >places. You may, in fact, want to use data in new ways in the future, only >to find that you have new vulnerabilities for which your current data is >unsanitized. > >Dave Watts, CTO, Fig Leaf Software >http://www.figleaf.com/ > >Fig Leaf Training: Adobe/Google/Paperthin Certified Partners >http://training.figleaf.com/ > >WebManiacs 2008: the ultimate conference for CF/Flex/AIR developers! >http://www.webmaniacsconference.com/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;192386516;25150098;k Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:303799 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
