Bryan,
Sorry about the confusion. Okay. Let's say that I have taken care of all
SQL attacks through some other method. Now, I look at all of the Form,
Cookie, and URL variables, and replace the values contained within each of
them with their HTMLEditFormat equivalents. So, if someone tries to put:
<SCRIPT language="JavaScript">alert('Gotcha!');</script>
..into a form field, the resulting value after the HTMLEditFormat
replacement will have the < and > escaped out. That way, when I re-display
the value on a separate page using CFOUTPUT, it doesn't get interpreted as
code by the browser. But this doesn't remove the attack; it just renders it
ineffective. My question is whether I am right in assuming that this would
render all such scripting attacks ineffective.
Matthieu
-----Original Message-----
From: Bryan Stevenson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 02, 2002 6:09 PM
To: CF-Talk
Subject: Re: more on security
Well SQL attacks can be pretty severe (drop tables...delete all records
etc.). That
said..CFQUERYPARAM is your friend...and very easy to use.
As for the rest of your post...I'm not quite sure where specifically you're
talking about??
Cheers
Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]
---------------------------------------------------------
Macromedia Associate Partner
www.macromedia.com
---------------------------------------------------------
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
----- Original Message -----
From: "Cornillon, Matthieu" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Tuesday, July 02, 2002 3:00 PM
Subject: more on security
> Hello, everyone. I'm losing my mind swimming through the issue of
filtering
> input variable scopes to stave off attacks. Something occurred to me: Why
> not just loop through all input variables and put them into
HTMLEditFormat?
>
> I know that this won't take care of SQL attacks, but in terms of scripting
> attacks, won't the simple replacement of < and > take care of it all? I
> suppose that it might not handle problems where the form variable is
> dynamically evaluated within a tag to generate a portion of the CFML code
> itself, but given that those are rare cases in my situation, why can't I
> just replace < and > and then apply special security measures to those
rare
> cases?
>
> Thanks,
> Matthieu
>
>
>
>
>
______________________________________________________________________
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
