[thelist] removing line feed and carriage return characters in coldfusion

Sarah Adams mr.sanders at geekjock.ca
Mon Jul 24 12:37:59 CDT 2006

>> In my reading about how to prevent email header injection attacks, I've
>> seen many references to removing the following new line characters:
>> <snip>
>> But I'm really not sure if Chr(10) is equivalent to %0A (or, for that
>> matter, why checking for \n and \r isn't enough). Suggestions?

> Can't see how this affects CFMAIL.

Do you mean that email header injection is not possible in CF and my
efforts are therefore unnecessary? I have read in a couple of places
that email header injection is not possible in CF, but nowhere so
authoritative that I believe it 100%. Can anyone confirm this?

Regardless, my question is not about preventing email header injection,
but about looking for evidence of such hacking, and then trying to
discourage spammers from returning to the site by sending them a 404
header. Even if the header injection attempts are unsuccessful, that
doesn't mean they aren't using up bandwidth. I had one such spammer who
hit a form over 14,000 times in a 2 week period.

sarah adams
web developer & programmer
portfolio: http://sarah.designshift.com
blog: http://hardedge.ca

More information about the thelist mailing list