>- see footer for list info -<
I use a regular expression to prevent anything that isnt a number or letter
getting into the database:
function stripspecial(tmpstr){
return rereplace(tmpstr,"[^a-zA-Z0-9]","","ALL");
}
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Peter Donahue
Sent: 31 January 2005 19:47
To: Allan - CFUG Spain; Coldfusion Development
Subject: [CF-Dev] hack proofing CF and XHTML pages
>- see footer for list info -<
Hello everyone,
I'm working on a Cf Website for an organization I belong to that is
scheduled to go on-line on July 1 of this year. I did this as a class
project last semester. The site contains a Microsoft Access Database for
displaying guestbook information. It also allows visitors to post
information to the guestbook via several XHTML forms. Because I had taken on
such an advanced project for my final exam assignment the instructor decided
to point out some volnurabilities of this guestbook by hacking in to it
during our final exam show and tell. He did this by entering HTML and XHTML
tags in to the form fields, and made a real mess of things. I fixed things
later that day. He told me that there is some code one must enter on form
pages that prevents data entered as HTML, or XHTML tags from being
interpretted as such preventing damage to the database, and giving hackers a
field day. He said that it was some kind of formatting protocol which
enhances security on such pages, but I don't have the specific code, or know
how to set it up. If one of you can help me out with this I'll appreciate
that very much. The site is located at:
http://www.nfb-travel.org/nfb-travel.cfm
This is a link that allows you to bipass the home page which is an under
construction notice. Please feel free to check out these pages, and let me
know what to do to hack proof those data entry pages. By the way I earned
an A in that course. Over here an A is the highest letter grade one can
earn in a class. Thanks in advance.
Peter Donahue
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
>- Hosting provided by www.cfmxhosting.co.uk -<
>- Forum provided by www.fusetalk.com -<
>- DHTML Menus provided by www.APYCOM.com -<
>- Lists hosted by www.Gradwell.com -<
>- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
_______________________________________________
For details on ALL mailing lists and for joining or leaving lists, go to
http://list.cfdeveloper.co.uk/mailman/listinfo
--
CFDeveloper Sponsors:-
>- Hosting provided by www.cfmxhosting.co.uk -<
>- Forum provided by www.fusetalk.com -<
>- DHTML Menus provided by www.APYCOM.com -<
>- Lists hosted by www.Gradwell.com -<
>- CFdeveloper is run by Russ Michaels, feel free to volunteer your help -<
