cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

allowing only specific characters in input

bill0
New Here ,
Mar 13, 2008 Mar 13, 2008
Hello,
My projects were auditted for security and it was found a logged in user (only) could hack my programs because I was not being careful to keep certain characters from being input, not just pointy brackets and pound signs. I am now told to do no client side checking.

I am thinking to define an allowable character list to checking each input box character by character.

What is a faster and more efficient way than looping through each input value's characters 1 by 1 and using find() and to check if those characters are in the list of good characters?

Thanks.
371
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
JR__Bob__Dobbs-qSBHQ2
Advisor ,
Mar 13, 2008 Mar 13, 2008
If your issue is related to SQL injection you can use cfqueryparam in your queries.
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
JR__Bob__Dobbs-qSBHQ2
Advisor ,
Mar 13, 2008 Mar 13, 2008
In Response To JR__Bob__Dobbs-qSBHQ2
More on SQL injection and cfqueryparam
http://www.adobe.com/devnet/coldfusion/articles/ben_forta_faster.html

You could also use regular expressions to check input for any characters or patterns you wish to disallow.
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Mar 13, 2008 Mar 13, 2008
LATEST
If you feel you can make use of it, this might be a place to start:

[^-_,\.@a-zA-Z0-9\s]

I use this reg exp as part of a parameter to an refindnocase function inside a little udf I wrote to scrub user input. It's not the entire expression, and I don't feel comfortable simply posting the whole udf (not trying to be mysterious, but it's part of our online security, after all, and is the property of my employer).

I think your approach of defining allowable characters, instead of trying to define non-allowable ones, makes a great deal of sense and is the approach that seems to be widely recommended. That's what I use the expression above to do...if the character ain't in that set, it gets deleted from the input string. It can extract a price even from an innocent string, though...note that if a user inputs "O'Brien" it'll come through as "OBrien" which for my purposes is no more than a minor inconvenience. YMMV.

If that code makes no sense, spend an hour reading up on Reg Expressions and you'll get it.

Bob's advice to become familiar with cfqueryparam is, of course, excellent.
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices