Is this the most efficient way to check for SQL in form input?
Sebastian
------------------
<cfset FORM.FirstName = 'Sebastian'>
<cfset FORM.LastName = 'Palmigiani'>
<cfset FORM.Address = ';drop table members;'>
<cfset FormList = ''>
<cfset FormList = ListAppend(FormList, FORM.FirstName)>
<cfset FormList = ListAppend(FormList, FORM.LastName)>
<cfset FormList = ListAppend(FormList, FORM.Address)>
<cfset SQLList = 'Select,Insert,Delete,Update,Drop,Create,Table'>
<cfloop list="#SQLList#" index="SQL">
<cfif ListContainsNoCase(FormList, SQL)>
<!--- Send back if there are SQL keywords --->
<cflocation url="index.cfm?Message=Error
</cfif>
</cfloop>
on 5/22/01 5:27 PM, Bryan Love at [EMAIL PROTECTED] wrote:
> someone could conceivable type "; drop table [tablename];" into a form field
> if they knew the name of the table and mess up the DB
>
>
> Bryan Love ACP
> Internet Application Developer
> [EMAIL PROTECTED]
>
>
>
> -----Original Message-----
> From: Pooh Bear [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 22, 2001 9:28 AM
> To: CF-Talk
> Subject: Compromising Security
>
>
> hey, I was wondering what are the least amount of information someone needs
> to compromise my database or code? I am.....err..."hacking?" my
> site/database through the URL. So far, I've got 2 tablenames, the
> datasource, and some field names. I dont want to have to do a lot of coding
>
> to prevent this from being seen by someone else, but i will if have to, but
> first i want to know if anyone could do anything with this much information.
>
> Thanx! :)
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
