I have been trying to use the UDF below, which I got from
http://www.cflib.org/udf.cfm?ID=612&enable=0.
The problem is this UDF will return true whenever a field contains the word
delete, drop, insert etc. Or when it contains a single quote character.
This doesn't really work very well since a user could submit the valid
value: "we'll update the price later and drop by to talk". Which would
return true for an injection attach using this UDF.
Anybody have any ideas on how we could go about updating this UDF to be bit
more accurate?
<cfscript>
/**
* Tests a string, one-dimensional array, or simple struct for possible
SQL injection.
*
* @param input String to check. (Required)
* @return Returns a boolean.
* @author Will Vautrain ([EMAIL PROTECTED])
* @version 1, July 1, 2002
*/
function IsSQLInject(input) {
/*
* The SQL-injection strings were used at the suggestion of Chris Anley
[[EMAIL PROTECTED]]
* in his paper "Advanced SQL Injection In SQL Server Applications"
available for downloat at
* http://www.ngssoftware.com/
*/
var listSQLInject = "select,insert,update,delete,drop,--,'";
var arraySQLInject = ListToArray(listSQLInject);
var i = 1;
for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
if(findNoCase(arraySQLInject[i], input)) return true;
}
return false;
}
</cfscript>
______________________________________________________________________
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
