Compliance Engineer for Macromedia
Email: [EMAIL PROTECTED]
Yahoo IM : morpheus
My ally is the Force, and a powerful ally it is. - Yoda
-Original Message-
From: Jennifer Larkin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 7:14 PM
To: CF-Talk
Subject: RE: Forms and CF
:44
To: CF-Talk
Subject: RE: Forms and CF Code
Why would anyone need to clean cfcode? Unless you save user input to a
file and cfinclude it, it will not get executed.
FYI, to clean HTML and stuff, look for StripHTML on cflib.org
Raymond Camden wrote:
Why would anyone need to clean cfcode? Unless you save user input to a
file and cfinclude it, it will not get executed.
That is a dangerous oversimplification.
Many people generate dynamic forms and loop over either form.fieldnames
or the form collection to evaluate
Why would anyone need to clean cfcode? Unless you save user
input to a
file and cfinclude it, it will not get executed.
Many people generate dynamic forms and loop over either
form.fieldnames
or the form collection to evaluate the forms that are posted
back. This
frequently
Raymond Camden wrote:
Many people generate dynamic forms and loop over either
form.fieldnames
or the form collection to evaluate the forms that are posted
back. This
frequently involves the Evaluate() function. Something like:
cfloop list=#form.fieldnames# index=i
cfset temp =
loop through the
Query parameters, and the form elements - guess I should include cookies in
there too.)
My two cents worth.
Shawn Grover
-Original Message-
From: Raymond Camden [mailto:[EMAIL PROTECTED]]
Sent: 19 December 2001 15:44
To: CF-Talk
Subject: RE: Forms and CF Code
Shawn Grover wrote:
I place my stripping functions in the application.cfm - so that every page I
code is automagically protected from the script kiddies, without me having
to worry about it on every page I write. (My functions loop through the
Query parameters, and the form elements -
Dieten [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 19, 2001 9:32 AM
To: CF-Talk
Subject: Re: Forms and CF Code
Shawn Grover wrote:
I place my stripping functions in the application.cfm - so that every page
I
code is automagically protected from the script kiddies, without me having
I wrote a simple routine that would loop through all the form elements,
strip out HTML, and change single quotes to chr(97). It'd be easy enough to
do something similar for cfcode - just check for the CF or specific CF
functions. A simple search/replace, or regular expression can handle this.
Do you mean submit code in formfields?
On Tue, 18 Dec 2001, Tangorre, Michael T. wrote:
Hi Everyone.
What steps can be taken to prevent users from submitting cfcode via a form?
Is there any tags out there that will protect?
Any ideas suggestions would be much appreciated.
Michael T.
In addition to CF code, you may need to strip out other characters to avoid
SQL hacks and such. If I can, I strip all ; # % * ' ( ) and , with
REReplace or use REFind to detect the nasty ones and throw an error
message, including sending an email message to me. and eliminate the
Yes, that is correct
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 5:54 PM
To: CF-Talk
Subject: Re: Forms and CF Code
Do you mean submit code in formfields?
On Tue, 18 Dec 2001, Tangorre, Michael T. wrote:
Hi Everyone.
What steps can
Dec 2001 19:40:55 -0500
Yes, that is correct
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 5:54 PM
To: CF-Talk
Subject: Re: Forms and CF Code
Do you mean submit code in formfields?
On Tue, 18 Dec 2001, Tangorre, Michael T. wrote:
Hi
use validation. regular expressions.
On Tue, 18 Dec 2001, Tangorre, Michael T. wrote:
Yes, that is correct
-Original Message-
From: Alex [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 18, 2001 5:54 PM
To: CF-Talk
Subject: Re: Forms and CF Code
Do you mean submit code
14 matches
Mail list logo