I currently run content filter with complex regular expression matching to
weed out any malicious code from form submisions. It's easy to plug into
an app without having to modify every query with <cfqueryparam>.

Before anything goes to the database I do this:

<!--- Invoke an instance of the content filter component in the application 
scope. --->
<cfif NOT StructKeyExists(application, "cFilter")>
        <cflock name="contentFilterLock" type="exclusive" timeout="30">
        <cfif NOT StructKeyExists(application, "cFilter")>
                <cfset 
application.cFilter=createObject("component","contentFilter")>
        </cfif>
        </cflock>
</cfif>

<!--- Clean up url and form fields --->
<cfif NOT StructIsEmpty(attributes)>
        <!--- Loop through attributes variables. --->   
        <cfloop list="#StructKeyList(attributes)#" index="field">
        <cfif field DOES NOT CONTAIN "file">
                <cfset 
attributes[field]=application.cFilter.stringFilter(attributes[field])>
        </cfif>
        </cfloop>
</cfif>

It works pretty well and is also used to strip out any dodgy html
formatting, etc. Anyone got any thoughts on this?

Jason Sheedy
www.voice.com.au

---
You are currently subscribed to cfaussie as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
Aussie Macromedia Developers: http://lists.daemon.com.au/

Reply via email to