the solution is simple strip out javascript and HTML from form posts by replacing < and > with > and < and the word 'javascript' with java script or something
that way if code is posted it will be rendered ineffective cflib has a bit of code to do just that AFAIK HTH Matt ----- Original Message ----- From: "Russ Michaels (Snake)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 08, 2004 10:10 AM Subject: RE: [ cf-dev ] Tips on securing a form. > Yes because the javascript your putting in the form is being saved in the > database and displayed on another page. Your not altering the original page. > This allows you to gain access to pages and data that only the person logged > into the site should be able to see. > > Russ > > > -----Original Message----- > > From: Mark Smyth [mailto:[EMAIL PROTECTED] > > Sent: 07 September 2004 17:24 > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ cf-dev ] Tips on securing a form. > > > > Hi Russ > > > > I'm a pit confused. Is entering the javascript into > > formfields and then altering the HTML any different than > > viewing the source of a form, saving a local copy and then > > altering the HTML and posting it? > > > > Thanks > > Mark > > > > -----Original Message----- > > From: Russ Michaels (Snake) [mailto:[EMAIL PROTECTED] > > Sent: 07 September 2004 17:03 > > To: [EMAIL PROTECTED] > > Subject: RE: [ cf-dev ] Tips on securing a form. > > > > > > Well you make sure that SQL cannot be inserted by using > > CFQUERYPARAM around > > your values, so any altering of formfields or URLs's wont allow code > > execution. There isn't much you can do about general text > > fields as thes > > eare intended for people to type text into. But as long as > > you stop code > > execution then nothing they put here will do any damage. You > > may want to do > > validation to stop ang TAGS being typed into the fields, and > > stop arbitray > > code from calling individual pages on your site, otherwise > > people can then > > use javascript and the likes to get at peoples data. An > > example of this. > > Lets say u have a site where you can view peoples profiles or > > comments, such > > as a forum for instance. In my post or comment or profile I > > could put some > > javascript that popped up a new window and loaded the > > personal settings page > > into that windows (which would load that persons setting cozz they are > > logged in). Now because my code is on the calling page that > > popped up that > > window, I can now manipulate anything in that window, which > > means I can > > alter the form action to submit any form to a URL on my > > server instead and > > thus grab and of that persons info such as username/password > > etc when they > > click save, or I can just grab anything that is on that page > > intitially and > > use an IMG tag to send all the values as attributes to a .cfm > > page on my > > server. Or indeed I can popup any old page from my own server > > that tells > > that person they have logged out and to log back in, bam I > > have their login > > details. Now apply this example to sites that take orders, > > store credit > > details, private information about peeople and you can see > > how easy it is to > > steal peoples databases without the correct code in place to > > stop it. I can > > tell you for a start that I discovered you can do this sort > > of thing with > > the Worldpay payment gateway unless you implement code to avoid it. > > > > I hope I haven't given you lot any ideas now :-) > > > > Russ Michaels > > Macromedia/Allaire Certified ColdFusion Developer > > > > CFDeveloper > > The free resource and community for ColdFusion developer. > > http://www.cfdeveloper.co.uk > > > > Join the CFDeveloper discussion lists. > > To subscribe send an e-mail to [EMAIL PROTECTED] > > > > > > > -----Original Message----- > > > From: Stephen Adams [mailto:[EMAIL PROTECTED] > > > Sent: 07 September 2004 16:33 > > > To: 'Dev > > > Subject: [ cf-dev ] Tips on securing a form. > > > > > > Hi, > > > > > > I have a simple form, which mainly uses drop down list, but > > > there are a couple of textareas and textfields. Can anyone > > > tell me where I can find tutorial/tips on how to > > > programmatically secure this form. > > > > > > At the moment my for submits straight to an INSERT query, I > > > just want to make sure no one can attack the site through this form. > > > > > > > > > > > > > > -- > > These lists are syncronised with the CFDeveloper forum at > > http://forum.cfdeveloper.co.uk/ > > Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > > > CFDeveloper Sponsors and contributors:- > > *Hosting and support provided by CFMXhosting.co.uk* :: > > *ActivePDF provided > > by activepdf.com* > > *Forums provided by fusetalk.com* :: *ProWorkFlow provided by > > proworkflow.com* > > *Tutorials provided by helmguru.com* :: *Lists hosted by > > gradwell.com* > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > > These lists are syncronised with the CFDeveloper forum at > > http://forum.cfdeveloper.co.uk/ > > Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > > > CFDeveloper Sponsors and contributors:- > > *Hosting and support provided by CFMXhosting.co.uk* :: > > *ActivePDF provided by activepdf.com* > > *Forums provided by fusetalk.com* :: *ProWorkFlow > > provided by proworkflow.com* > > *Tutorials provided by helmguru.com* :: *Lists > > hosted by gradwell.com* > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > > > -- > These lists are syncronised with the CFDeveloper forum at http://forum.cfdeveloper.co.uk/ > Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > CFDeveloper Sponsors and contributors:- > *Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by activepdf.com* > *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com* > *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com* > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > -- These lists are syncronised with the CFDeveloper forum at http://forum.cfdeveloper.co.uk/ Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ CFDeveloper Sponsors and contributors:- *Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by activepdf.com* *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com* *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com* To unsubscribe, e-mail: [EMAIL PROTECTED]
