There was recently a question on here about sql injection and about request calls being cleansed (http://www.vpasp.com/virtprog/vpaspforum/topic.asp?TOPIC_ID=13223).
I have a follow up question about this.
I am just doing a double check of all code and have found some instances in byz add ons where the requests are not cleansed, for instance:
tfieldval=Request(tfieldname)would this be better written as
tfieldval=cleanchars(Request(tfieldname))There are also some instances such as
instr(lcase(request.ServerVariables("SCRIPT_NAME"))would this be better as
cleanchars(instr(lcase(request.ServerVariables("SCRIPT_NAME")))Finally in some of the admin pages there are entries such as
addcategory=request("addcategory") would these be better as
Sex toys from a UK sex shop including vibrators and dildos.