What is wrong with using cfqueryparam and either htmlEditFormat() or a strip-tags UDF? I'd be interested to see a case these two techniques do not handle.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Tilbrook Sent: Wednesday, 26 October 2005 11:46 p.m. To: CFAussie Mailing List Subject: [cfaussie] Suggestions - CF form security >> What is the best way to prevent users in a BB type scenario from posting script or SQL into a textfield or textarea? Making changes to the administrator is not an option. I figured there must be something better than REreplaceNoCase. However, if REreplaceNoCase is the best option, does anyone have a readymade snippet of code that will encompass the most malicious tags, SQL attacks, etc? << This is a message from a NG and I was stumped apart from using CFQUERYPARAM or UDF's. Any other suggestions? If it is any consolation no-one yet seems to have a safe answer and their have been a few. Thanks! PT --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/ --- You are currently subscribed to cfaussie as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED] Aussie Macromedia Developers: http://lists.daemon.com.au/
