Albee_J
asked on
ColdFusion Application.CFC Will Script run on page load through Application.cfc?
We are currently under attack with a script bases SQL injection. Slapping the <script .js > into all of our ntext and nvarchar fields. One of the ways we are trying to prevent this is by putting the below script into our Application.cfc. What we don't know is if this will run on page load on all of our forms?
<cfloop list="#FORM.FieldNames#" index="i">
<cfscript>
FORM[i] = replace(FORM[i],'<','<'
FORM[i] = replace(FORM[i],'<','>'
FORM[i] = replace(FORM[i],'"','"
FORM[i] = replace(FORM[i],'''',' ','ALL');
</cfscript>
</cfloop>
<cfloop list="#FORM.FieldNames#" index="i">
<cfscript>
FORM[i] = replace(FORM[i],'<','<'
FORM[i] = replace(FORM[i],'<','>'
FORM[i] = replace(FORM[i],'"','"
FORM[i] = replace(FORM[i],'''',' ','ALL');
</cfscript>
</cfloop>
ASKER
We don't use any client side wysiwyg that would make us have to use those quotes.
We have also already implemented the use of cfqueryparam.
We have also already implemented the use of cfqueryparam.
You should be in the clear with the use of cfqueryparam.
Put your code above in the onRequestStart to have it run for every request.
Put your code above in the onRequestStart to have it run for every request.
Sorry: I meant: the onRequestStart method of Application.cfc
ASKER
What would the exact syntax be for the use of the OnRequestStart method?
Sorry still a newbie
Sorry still a newbie
the other way is to use validation on the form, which should prevent from entering special characters
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What you are doing might cause you some unwanted behaviour as ALL greater/smaller than symbols would be escaped, even when they are innocent.