Validating Data Received from the Client

Previous page
Table of content
Next page

Submitted by Jackson Moore, jackson@devusion.com

The most important thing you can do at the code level to prevent errors and security breaches is to validate all data received from the client's browser. Validating this data will prevent CFML code errors, HTML display errors, cross-site scripting attacks, unauthorized access to web site content, and unintended server-side operations.

Depending on his skill level (and desire), any user can alter the query string, modify his cookies, or spoof his IP address. A user can also save your form page to his computer, override form fields, and bypass client-side validation before submitting a form. You can't even rely on CGI.HTTP_REFERER to verify the origin of a form submission because it can be changed by the user and is often blocked altogether by some privacy software and corporate firewalls.

All URL parameters, form fields, cookies, and browser variables must be validated on the server for both data type and value before you reference them in your code. Ask yourself, "Is URL.ARTICLE_ID an integer, and does it correspond with a database record that this user is authorized to access?" Make sure the answer is "yes."

Previous page
Table of content
Next page
Inside ColdFusion MX
Inside Coldfusion MX
ISBN: 0735713049
EAN: 2147483647
Year: 2005
Pages: 579
Authors: John Cummings, Neil Ross, Robi Sen
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
The Complete Cisco VPN Configuration Guide
Google Maps Hacks: Tips & Tools for Geographic Searching and Remixing
File System Forensic Analysis
Quantitative Methods in Project Management
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy