0 Replies Latest reply on Mar 24, 2009 10:04 AM by Adobe Forums User


    Adobe Forums User
      So, I'm no stranger to CF applications, but over the years I've gotten a bit more in depth with my SQL injection prevention techniques. I've prevented form-based SQL and HTML injection numerous ways throughout the years, and now I'm wrapping up another project and just wanted to poll fellow developers to see what's new on the subject.

      I CFQUERYPARAM all queries, and do some pretty anal retentive checking of user-inputted data, but the TEXT form field type needs some extra special attention. Take an account creation form, with these fields, for example:

      - First Name
      - Last Name
      - E-Mail Address
      - Password
      - Confirm Password
      - Date Of Birth

      E-Mail addresses are easily validated, as are both password fields. Date of birth is also easily validated.

      But what about the first and last name form data? I of course restrict the length of the TEXT field, for example 25 characters each, and CFQUERYPARAM what goes into the database. I could HTMLEDITFORMAT the data on the way in, but names with special characters get converted into much longer strings, thus erroring if the newly-expanded HTMLEDITFORMAT'd data exceeds the CFQUERYPARAM MAXLENGTH. I can always store data exactly as the user inputs it, and then HTMLEDITFORMAT anything printed out to a page later, but that seems odd.