I might be way off here, but wouldn't you just need to screen for semi-colons? In order to hack a query the user would have to enter a semi-colon to end the current statement and begin one of their own...
+-----------------------------------------------+ Bryan Love Macromedia Certified Professional Internet Application Developer Database Analyst TeleCommunication Systems [EMAIL PROTECTED] +-----------------------------------------------+ "...'If there must be trouble, let it be in my day, that my child may have peace'..." - Thomas Paine, The American Crisis -----Original Message----- From: Brook Davies [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 11:54 AM To: CF-Talk Subject: SQL Injection Attacks (scrubbers cont.) I have been trying to use the UDF below, which I got from http://www.cflib.org/udf.cfm?ID=612&enable=0. The problem is this UDF will return true whenever a field contains the word delete, drop, insert etc. Or when it contains a single quote character. This doesn't really work very well since a user could submit the valid value: "we'll update the price later and drop by to talk". Which would return true for an injection attach using this UDF. Anybody have any ideas on how we could go about updating this UDF to be bit more accurate? <cfscript> /** * Tests a string, one-dimensional array, or simple struct for possible SQL injection. * * @param input String to check. (Required) * @return Returns a boolean. * @author Will Vautrain ([EMAIL PROTECTED]) * @version 1, July 1, 2002 */ function IsSQLInject(input) { /* * The SQL-injection strings were used at the suggestion of Chris Anley [[EMAIL PROTECTED]] * in his paper "Advanced SQL Injection In SQL Server Applications" available for downloat at * http://www.ngssoftware.com/ */ var listSQLInject = "select,insert,update,delete,drop,--,'"; var arraySQLInject = ListToArray(listSQLInject); var i = 1; for(i=1; i lte arrayLen(arraySQLInject); i=i+1) { if(findNoCase(arraySQLInject[i], input)) return true; } return false; } </cfscript> ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists