RE: URL Hacks - Solution

Mon, 09 Jul 2001 15:31:24 -0700 

URL hacks I think are easier to handle than form.Variables.

I have limited to bare min, the number of variables passed by url and were I
have used them.
and were I have they are limited to a Number/Integer, so that the VAL(),
works well.  but with forms, there is such a wide range of information that
you are capturing, that it makes it a lot harder to control.

I have used <CF_FILTER>, which seems to be working well.  But I like the
idea of adding the notification by email when an attempted hack is tried and
then kicking them off site.
and if anyone has seen a hack that bypasses <CF_FILTER> could you share the
information.
I know its not the end all for security.



-----Original Message-----
From: Chad Gray [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 09, 2001 3:11 PM
To: CF-Talk
Subject: RE: URL Hacks - Solution


Where is CF_Input?  I cant find it on the Developers exchange.

On a SQL database cant you specify that the user connected to the database 
cannot use the DROP command?  Wouldn't this be the first line of defense?







At 05:00 PM 7/9/2001 -0400, you wrote:
>Why not just use cf_input this tag works great, you can add words in there
>like delete drop and add so that you don't have people entering things into
>your database.
>
>Robert Everland III
>Dixon Ticonderoga
>Web Developer Extraordinaire
>
>-----Original Message-----
>From: Josh R [mailto:[EMAIL PROTECTED]]
>Sent: Monday, July 09, 2001 1:46 PM
>To: CF-Talk
>Subject: Re: URL Hacks - Solution
>
>
>I've been reading this thread since the beginning and came up with a pretty
>comfortable solution. I call it cf_antihack. It's a blanket script with a
>pretty quick run time. I haven't placed it on the Developers Exchange yet,
>but I might.
>
>I am offering it to you guys first so I can get some input on it.
>
>You can get the code at my site at http://www.rubak.com/cf-codes.cfm
>
>Don't forget to give me some feedback. If people like this solution, I plan
>to increase it's reach to cover other security issues.
>
>Disclaimer: I am by no means a security expert. I just came up with (what I
>think is) a good idea.
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to