Well you make sure that SQL cannot be inserted by using CFQUERYPARAM around your values, so any altering of formfields or URLs's wont allow code execution. There isn't much you can do about general text fields as thes eare intended for people to type text into. But as long as you stop code execution then nothing they put here will do any damage. You may want to do validation to stop ang TAGS being typed into the fields, and stop arbitray code from calling individual pages on your site, otherwise people can then use javascript and the likes to get at peoples data. An example of this. Lets say u have a site where you can view peoples profiles or comments, such as a forum for instance. In my post or comment or profile I could put some javascript that popped up a new window and loaded the personal settings page into that windows (which would load that persons setting cozz they are logged in). Now because my code is on the calling page that popped up that window, I can now manipulate anything in that window, which means I can alter the form action to submit any form to a URL on my server instead and thus grab and of that persons info such as username/password etc when they click save, or I can just grab anything that is on that page intitially and use an IMG tag to send all the values as attributes to a .cfm page on my server. Or indeed I can popup any old page from my own server that tells that person they have logged out and to log back in, bam I have their login details. Now apply this example to sites that take orders, store credit details, private information about peeople and you can see how easy it is to steal peoples databases without the correct code in place to stop it. I can tell you for a start that I discovered you can do this sort of thing with the Worldpay payment gateway unless you implement code to avoid it.
I hope I haven't given you lot any ideas now :-) Russ Michaels Macromedia/Allaire Certified ColdFusion Developer CFDeveloper The free resource and community for ColdFusion developer. http://www.cfdeveloper.co.uk Join the CFDeveloper discussion lists. To subscribe send an e-mail to [EMAIL PROTECTED] > -----Original Message----- > From: Stephen Adams [mailto:[EMAIL PROTECTED] > Sent: 07 September 2004 16:33 > To: 'Dev > Subject: [ cf-dev ] Tips on securing a form. > > Hi, > > I have a simple form, which mainly uses drop down list, but > there are a couple of textareas and textfields. Can anyone > tell me where I can find tutorial/tips on how to > programmatically secure this form. > > At the moment my for submits straight to an INSERT query, I > just want to make sure no one can attack the site through this form. > > -- These lists are syncronised with the CFDeveloper forum at http://forum.cfdeveloper.co.uk/ Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ CFDeveloper Sponsors and contributors:- *Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by activepdf.com* *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com* *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com* To unsubscribe, e-mail: [EMAIL PROTECTED]
