Well SQL attacks can be pretty severe (drop tables...delete all records etc.). That said..CFQUERYPARAM is your friend...and very easy to use.
As for the rest of your post...I'm not quite sure where specifically you're talking about?? Cheers Bryan Stevenson B.Comm. VP & Director of E-Commerce Development Electric Edge Systems Group Inc. t. 250.920.8830 e. [EMAIL PROTECTED] --------------------------------------------------------- Macromedia Associate Partner www.macromedia.com --------------------------------------------------------- Vancouver Island ColdFusion Users Group Founder & Director www.cfug-vancouverisland.com ----- Original Message ----- From: "Cornillon, Matthieu" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, July 02, 2002 3:00 PM Subject: more on security > Hello, everyone. I'm losing my mind swimming through the issue of filtering > input variable scopes to stave off attacks. Something occurred to me: Why > not just loop through all input variables and put them into HTMLEditFormat? > > I know that this won't take care of SQL attacks, but in terms of scripting > attacks, won't the simple replacement of < and > take care of it all? I > suppose that it might not handle problems where the form variable is > dynamically evaluated within a tag to generate a portion of the CFML code > itself, but given that those are rare cases in my situation, why can't I > just replace < and > and then apply special security measures to those rare > cases? > > Thanks, > Matthieu > > > > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
