Try these http://www.cflib.org/udf.cfm?ID=434 http://www.cflib.org/udf.cfm?ID=833 http://www.cflib.org/udf.cfm?ID=12
Russ Michaels Macromedia Certified ColdFusion Professional CFMX Hosting - Macromedia ColdFusionMX Hosting Phone: 0845 456 3487 Tech Support: 0906 9607800 FAX: 0709 2212 636 WEB: www.cfmxhosting.co.uk Helpdesk: www.cfmxhosting.co.uk/helpdesk ---------------------------------------------------------------------------- ----------------------- Please use the support helpdesk on our web site to submit support tickets. Join our ColdFusion Developer discussion lists and forums at www.cfdeveloper.co.uk. ---------------------------------------------------------------------------- ----------------------- > -----Original Message----- > From: Damian Watson [mailto:[EMAIL PROTECTED] > Sent: 08 September 2004 10:44 > To: [EMAIL PROTECTED] > Subject: Re: [ cf-dev ] Tips on securing a form. > > Matt, which bit of code is it?? Can't find it! > > Matt Horn wrote: > > >the solution is simple > > > >strip out javascript and HTML from form posts by replacing < > and > with > >> and < and the word 'javascript' with java script or > something > > > >that way if code is posted it will be rendered ineffective > > > >cflib has a bit of code to do just that AFAIK > > > > HTH > > > > Matt > > > > > > > >----- Original Message ----- > >From: "Russ Michaels (Snake)" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Wednesday, September 08, 2004 10:10 AM > >Subject: RE: [ cf-dev ] Tips on securing a form. > > > > > > > > > >>Yes because the javascript your putting in the form is > being saved in > >>the database and displayed on another page. Your not altering the > >>original > >> > >> > >page. > > > > > >>This allows you to gain access to pages and data that only > the person > >> > >> > >logged > > > > > >>into the site should be able to see. > >> > >>Russ > >> > >> > >> > >>>-----Original Message----- > >>>From: Mark Smyth [mailto:[EMAIL PROTECTED] > >>>Sent: 07 September 2004 17:24 > >>>To: '[EMAIL PROTECTED]' > >>>Subject: RE: [ cf-dev ] Tips on securing a form. > >>> > >>>Hi Russ > >>> > >>>I'm a pit confused. Is entering the javascript into > formfields and > >>>then altering the HTML any different than viewing the source of a > >>>form, saving a local copy and then altering the HTML and > posting it? > >>> > >>>Thanks > >>>Mark > >>> > >>>-----Original Message----- > >>>From: Russ Michaels (Snake) [mailto:[EMAIL PROTECTED] > >>>Sent: 07 September 2004 17:03 > >>>To: [EMAIL PROTECTED] > >>>Subject: RE: [ cf-dev ] Tips on securing a form. > >>> > >>> > >>>Well you make sure that SQL cannot be inserted by using > CFQUERYPARAM > >>>around your values, so any altering of formfields or URLs's wont > >>>allow code execution. There isn't much you can do about > general text > >>>fields as thes eare intended for people to type text into. But as > >>>long as you stop code execution then nothing they put here will do > >>>any damage. You may want to do validation to stop ang TAGS being > >>>typed into the fields, and stop arbitray code from calling > individual > >>>pages on your site, otherwise people can then use > javascript and the > >>>likes to get at peoples data. An example of this. > >>>Lets say u have a site where you can view peoples profiles or > >>>comments, such as a forum for instance. In my post or comment or > >>>profile I could put some javascript that popped up a new > window and > >>>loaded the personal settings page into that windows (which > would load > >>>that persons setting cozz they are logged in). Now because > my code is > >>>on the calling page that popped up that window, I can now > manipulate > >>>anything in that window, which means I can alter the form > action to > >>>submit any form to a URL on my server instead and thus grab and of > >>>that persons info such as username/password etc when they > click save, > >>>or I can just grab anything that is on that page > intitially and use > >>>an IMG tag to send all the values as attributes to a .cfm > page on my > >>>server. Or indeed I can popup any old page from my own server that > >>>tells that person they have logged out and to log back in, > bam I have > >>>their login details. Now apply this example to sites that take > >>>orders, store credit details, private information about > peeople and > >>>you can see how easy it is to steal peoples databases without the > >>>correct code in place to stop it. I can tell you for a > start that I > >>>discovered you can do this sort of thing with the Worldpay payment > >>>gateway unless you implement code to avoid it. > >>> > >>>I hope I haven't given you lot any ideas now :-) > >>> > >>>Russ Michaels > >>>Macromedia/Allaire Certified ColdFusion Developer > >>> > >>>CFDeveloper > >>>The free resource and community for ColdFusion developer. > >>>http://www.cfdeveloper.co.uk > >>> > >>>Join the CFDeveloper discussion lists. > >>>To subscribe send an e-mail to > [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: Stephen Adams [mailto:[EMAIL PROTECTED] > >>>>Sent: 07 September 2004 16:33 > >>>>To: 'Dev > >>>>Subject: [ cf-dev ] Tips on securing a form. > >>>> > >>>>Hi, > >>>> > >>>>I have a simple form, which mainly uses drop down list, but there > >>>>are a couple of textareas and textfields. Can anyone tell > me where I > >>>>can find tutorial/tips on how to programmatically secure > this form. > >>>> > >>>>At the moment my for submits straight to an INSERT query, I just > >>>>want to make sure no one can attack the site through this form. > >>>> > >>>> > >>>> > >>>> > >>> > >>>-- > >>>These lists are syncronised with the CFDeveloper forum at > >>>http://forum.cfdeveloper.co.uk/ > >>>Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > >>> > >>>CFDeveloper Sponsors and contributors:- *Hosting and > support provided > >>>by CFMXhosting.co.uk* :: > >>>*ActivePDF provided > >>>by activepdf.com* > >>> *Forums provided by fusetalk.com* :: *ProWorkFlow provided by > >>>proworkflow.com* > >>> *Tutorials provided by helmguru.com* :: *Lists hosted by > >>>gradwell.com* > >>> > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>>-- > >>>These lists are syncronised with the CFDeveloper forum at > >>>http://forum.cfdeveloper.co.uk/ > >>>Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > >>> > >>>CFDeveloper Sponsors and contributors:- *Hosting and > support provided > >>>by CFMXhosting.co.uk* :: > >>>*ActivePDF provided by activepdf.com* > >>> *Forums provided by fusetalk.com* :: *ProWorkFlow > provided by > >>>proworkflow.com* > >>> *Tutorials provided by helmguru.com* :: *Lists > hosted by > >>>gradwell.com* > >>> > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>> > >>> > >> > >>-- > >>These lists are syncronised with the CFDeveloper forum at > >> > >> > >http://forum.cfdeveloper.co.uk/ > > > > > >>Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > >> > >>CFDeveloper Sponsors and contributors:- *Hosting and > support provided > >>by CFMXhosting.co.uk* :: *ActivePDF provided > >> > >> > >by activepdf.com* > > > > > >> *Forums provided by fusetalk.com* :: *ProWorkFlow provided by > >> > >> > >proworkflow.com* > > > > > >> *Tutorials provided by helmguru.com* :: *Lists hosted by > >> > >> > >gradwell.com* > > > > > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > > > > > > > > > > > > > -- > These lists are syncronised with the CFDeveloper forum at > http://forum.cfdeveloper.co.uk/ > Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ > > CFDeveloper Sponsors and contributors:- > *Hosting and support provided by CFMXhosting.co.uk* :: > *ActivePDF provided by activepdf.com* > *Forums provided by fusetalk.com* :: *ProWorkFlow > provided by proworkflow.com* > *Tutorials provided by helmguru.com* :: *Lists > hosted by gradwell.com* > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > -- These lists are syncronised with the CFDeveloper forum at http://forum.cfdeveloper.co.uk/ Archive: http://www.mail-archive.com/dev%40lists.cfdeveloper.co.uk/ CFDeveloper Sponsors and contributors:- *Hosting and support provided by CFMXhosting.co.uk* :: *ActivePDF provided by activepdf.com* *Forums provided by fusetalk.com* :: *ProWorkFlow provided by proworkflow.com* *Tutorials provided by helmguru.com* :: *Lists hosted by gradwell.com* To unsubscribe, e-mail: [EMAIL PROTECTED]
