Submitted by Jackson Moore, jackson@devusion.com The most important thing you can do at the code level to prevent errors and security breaches is to validate all data received from the client's browser. Validating this data will prevent CFML code errors, HTML display errors, cross-site scripting attacks, unauthorized access to web site content, and unintended server-side operations. Depending on his skill level (and desire), any user can alter the query string, modify his cookies, or spoof his IP address. A user can also save your form page to his computer, override form fields, and bypass client-side validation before submitting a form. You can't even rely on CGI.HTTP_REFERER to verify the origin of a form submission because it can be changed by the user and is often blocked altogether by some privacy software and corporate firewalls. All URL parameters, form fields, cookies, and browser variables must be validated on the server for both data type and value before you reference them in your code. Ask yourself, "Is URL.ARTICLE_ID an integer, and does it correspond with a database record that this user is authorized to access?" Make sure the answer is "yes." |