Malicious Characters

Hey, I'm attempting to rid a few form fields of potentially malicious characters..

right now all i'm really worrying about are <'s, >'s and "'s..

and i've been replacing them with their & counterparts

i.e.

  <cfset replist = chr(34) & "," & chr(60) & "," & chr(62)>
  <cfset repwith = "&quot;,&lt;,&gt;">
  <cfset Form.SomeTextField = rereplacelist(Form.SomeTextField, replist, repwith)>

Code (markup):

than the field is validated and put in it's place in the database

just wondering if there is anything immediately wrong anyone see's with doing this? OR if there are any other characters that i should worry about?

 

why not use XMLFormat(Form.SomeTextField) if you are going to use those html escape codes?

 

sorry for bumping this thread.. but since noone had an answer for that question.. maybe someone could just tell me if doing this is enough.

since i'm running a coldfusion server, and i'm already removing <'s, >'s and "'s do i need to worry about &'s? i realize that if someone enters their e-mail as guy&nbsp;@domain.org it will come out as guy @domain.org which will not work.. but i'm not at all concerned about something like that. i'm not generating e-mails, i'm just leaving a link for theirs. the site is almost like a phonebook.

i'm just worried if anyone enters some kind of combination of & identities that they will blow up my site or database or something.

sorry, i haven't worked much with security before.

 

didn't realize xmlformat() existed, thanks for the direction

 

if that is your concern, you can use <cfqueryparam .....> fields in the values (...) part of your query

The benefit is twofold - it will escape the variables (but sql escape codes not html escape like in your example) and it protects against someone submitting script which has been utilized in the past to hack forums etc.

just google cfqueryparam to see how it works