> --begin script -
>
> // SQL injection keywords
>
> SQL_exp="[ ;](insert +into.+values|drop
> +table|create +table)";
Unfortunately, I think you're fighting a losing battle here. There are all
kinds of commands (many platform-specific) that might be used in SQL
injection. Instead, you're better off just using CFQUERYPARAM, which will
prevent all SQL injection attacks, to the best of my knowledge.
On the other hand, for cross-site scripting, you might take an approach like
this. But that's a different kettle of fish.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads]
[This Message]
[Subscription]
[Fast Unsubscribe]
[User Settings]
[Donations and Support]
- RE: A script to Prevent SQL Injection: feedback... Robertson-Ravo, Neil (RX)
- RE: A script to Prevent SQL Injection: fee... Wes
- RE: A script to Prevent SQL Injection: ... Wes
- Re: A script to Prevent SQL Injecti... Jochem van Dieten
- Re: A script to Prevent SQL Inj... Jochem van Dieten
- Re: A script to Prevent SQL Injection: feed... Joe Rinehart
- RE: A script to Prevent SQL Injection: feedback... Tangorre, Michael
- RE: A script to Prevent SQL Injection: feedback... Dave Watts
- RE: A script to Prevent SQL Injection: feedback... Robertson-Ravo, Neil (RX)
- Re: A script to Prevent SQL Injection: feed... Matt Robertson
- Re: A script to Prevent SQL Injection: ... Jochem van Dieten
- Re: A script to Prevent SQL Injecti... Matt Robertson
- Re: A script to Prevent SQL Inj... Jochem van Dieten
- Re: A script to Prevent SQ... Matt Robertson
- Re: A script to Preven... Jochem van Dieten
- RE: A script to Preven... Rick Faircloth
- Re: A script to Preven... Jochem van Dieten
- RE: A script to Preven... Rick Faircloth