Re: Alternative to using CONTAINS repeatedly?

Fri, 12 Sep 2008 09:18:29 -0700 

This function is good:
http://cflib.org/udf/SafeText

-Mike Chabot

On Fri, Sep 12, 2008 at 11:25 AM, Adrian Lynch
<[EMAIL PROTECTED]> wrote:
> Here's one way...
>
> <!--- Evil form fields --->
> <cfset FORM.email = "<script>alert('Bad script!');</script>">
> <cfset FORM.name = "<img src='bad.gif' />">
>
> <!--- Nice form fields --->
> <cfset FORM.email = "sdadsds">
> <cfset FORM.name = "asasa">
>
> <cfset bannedList = "http,script,img,http">
> <cfset formFieldsToCheck = "email,name">
> <cfset proceed = true>
>
> <cfloop list="#bannedList#" index="i">
>        <cfloop list="#formFieldsToCheck#" index="j">
>                <cfif FindNoCase(i, FORM[j])>
>                        <cfset proceed = false>
>                        <cfbreak>
>                </cfif>
>        </cfloop>
> </cfloop>
>
> <cfif proceed>
>        Yaaay! :OD
> <cfelse>
>        Booooo :O(
> </cfif>
>
> Adrian
>
> -----Original Message-----
> From: Julie Davenport [mailto:[EMAIL PROTECTED]
> Sent: 12 September 2008 15:54
> To: CF-Talk
> Subject: Alternative to using CONTAINS repeatedly?
>
>
> Hello all,
> I'm trying to screen out "bad stuff" sent to my scripts in the form fields
> and I know there has to be a better way to do it than this:
>
> <cfif lcase(form.First_Name) CONTAINS 'http'
>   OR lcase(form.First_Name) CONTAINS 'script'
>   OR lcase(form.First_Name) CONTAINS 'img'
>   OR lcase(form.Last_Name) CONTAINS 'http'
>   OR lcase(form.Last_Name) CONTAINS 'script'
>   OR lcase(form.Last_Name) CONTAINS 'img'
>   OR lcase(form.email) CONTAINS 'http'
>   OR lcase(form.email) CONTAINS 'script'
>   OR lcase(form.email) CONTAINS 'img'
>   OR lcase(form.comments) CONTAINS 'http'
>   OR lcase(form.comments) CONTAINS 'script'
>   OR lcase(form.comments) CONTAINS 'img'>
>     (do not process)
> <cfelse>
>     (process)
> </cfif>
>
> There must be an easier way to check multiple fields to see if they contain
> any of a list of character strings.  I've looked through the LIST functions
> and they seem to do the opposite (look whether a string is contained in a
> list).  Any suggestions?
>
> thanks much,
> Julie
>
>
> 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to 
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:312450
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to