I recently posted the below on a CF forum in response to a question about how to avoid SQL injection attacks:
If you can limit form field entries to alphas and numbers only then you are pretty safe. <cfset someFormField =REReplaceNoCase (form.comments, '[^a-z0-9]', '', 'all')> When you allow special characters then the risks skyrocket. Don't forget any field is open to attack - hidden form fields, drop lists, password fields (many forget those). You need to use cfqueryparam, htmledit format, and you need to limit extended characters unless you have no choice. If you allow special characters then you need to use some of the bad string removal functions available at cflib. Just keep in mind those functions get dated and were probably not 100% effective even when first written. In response, another forum member posted this link which I think is worth sharing. It just goes to show how difficult it is at present to stop SQL injection attacks when the input string cannot be character limited. http://blog.ninanet.com/blog1.php/2008/08/22/sql-injection-attacks-no-end-in-sight Anyone here have any suggestions other than limiting the character set or "trying" to identify and remove attack strings? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the "Houston ColdFusion Users' Group" discussion list. To unsubscribe, send email to [EMAIL PROTECTED] For more options, visit http://groups.google.com/group/houcfug?hl=en -~----------~----~----~----~------~----~------~--~---
