>
> // SQL injection keywords
>
> SQL_exp="[ ;](insert +into.+values|drop
> +table|create +table)";
Unfortunately, I think you're fighting a losing battle here. There are all
kinds of commands (many platform-specific) that might be used in SQL
injection. Instead, you're better off just using CFQUERYPARAM, which will
prevent all SQL injection attacks, to the best of my knowledge.
On the other hand, for cross-site scripting, you might take an approach like
this. But that's a different kettle of fish.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
