Raymond Camden wrote:
> Why would anyone need to clean cfcode? Unless you save user input to a
> file and cfinclude it, it will not get executed.
That is a dangerous oversimplification.
Many people generate dynamic forms and loop over either form.fieldnames
or the form collection to evaluate the forms that are posted back. This
frequently involves the Evaluate() function. Something like:
<cfloop list="#form.fieldnames#" index="i">
<cfset temp = Evaluate(field)>
other code
</cfloop>
In testing somebodies site I have used this to slow his site to a crawl
by making a custom form with code like:
<form action="">
<input type="text" name="CFUSION_DBCONNECTIONS_FLUSH()">
</form>
Naturally correct scoping of variables prevents this, but sloppy use of
Evaluate() and certain other functions is just as dangerous as executing
user code the way you describe.
Jochem
PS: Safe would be not to scope functions to the form scope and use:
<cfloop list="#form.fieldnames#" index="i">
<cfset temp = Evaluate("form." & field)>
other code
</cfloop>
______________________________________________________________________
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
