> Until now, I just check for strings "http" or "user" in > url.id containing something else than an integer value. > I now just added "DECLARE" in the validation. > > All my templates expecting id=<some numeric> start with this > code (included): > <CFIF val(id) EQ 0 AND (id CONTAINS "http" OR id CONTAINS > "user" OR id CONTAINS "DECLARE")> .... save IP of this guy in > the banned addresses table... > </CFIF> > > This is even more efficient than CFQURYPARAM, because this > way I'm sure the guy will not have another chance.
That's fine, until the attack pattern contains something else, like Unicode sequences. Figuring out what patterns to deny is a losing battle. It's much more efficent to simply allow only acceptable actions, which is what CFQUERYPARAM does. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309371 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
