>
> Anything and everything received from external, untrusted sources must
> be considered suspect.
>
+1
I find that using tools like Portcullis.cfc to be warranted for forward
facing sites. As a minimum I would check to see if the request is actually
coming from your site before making any changes to data.
Even on internal stuff I use the following snippet to make sure people don't
have any urls that manipulated data bookmarked or saved as a shortcut.
<cfif NOT findnocase(cgi.SERVER_NAME,cgi.HTTP_REFERER)>
<!--- <cfinclude template="#Application.tmp_url#/incl/header.cfm">
--->
<cfoutput>
<div align="center">
You are trying to access this page from a bookmark or an
unauthorised location.
<br />
Please <a href="someurl"> Got to the main website and
try again</a>.
</div>
</cfoutput>
<!--- <cfinclude
template="#Application.tmp_url#/incl/footer.cfm"> --->
<cfabort >
</cfif>
G!
On Mon, Jan 24, 2011 at 12:08 PM, Ian Skinner <[email protected]> wrote:
>
> On 1/24/2011 8:50 AM, Richard White wrote:
> > ok thanks for the help
>
> I just wanted to add that your question, concerns and the replies DO NOT
> just apply to URL variables. They apply to ANY and ALL data received
> from the client. Including form POST values, COOKIE values, ect.
>
> Anything and everything received from external, untrusted sources must
> be considered suspect.
>
> I mention this because many people have the mistaken impression that
> form POST variables are more secure and thus do not need to be tested
> just because they are not written in the URL bar of the browser. This
> is most definitely not true.
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:341135
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
