With this latest spate of SQL attacks it has at least alerted CF (and non CF coders hopefully) to the importance of sql injection and input sanitisation. However I am noticing that almost all of the drop-in 'patches', almost all of them seem to be straight list/array searches and there is almost no use of regular expressions, meaning that these 'solutions' can barely even be considered as suitable stop gaps until more appropriate measures can be taken (cfqueryparam, sql permissions, etcetera) as they really can only stop the most basic attempts and are likely to produce an inordinate number of false positives (someone earlier noted that an admin was blacklisted for using declare in a perfectly acceptable context).
It seems to me that such a knee jerk reaction and placing half thought out measures in place almost does more harm than good in that it leaves people with a false sense of security. Take the following code as case in point; function IsSQLInject(input) { var listSQLInject = "cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr op,--,'"; var arraySQLInject = ListToArray(listSQLInject); var i = 1; for(i=1; i lte arrayLen(arraySQLInject); i=i+1) { if(findNoCase(arraySQLInject[i], input)) return true; } return false; } Running this function over any user input scope will flag every input that contains one of the listed strings, i.e. 'Casting sugar', 'selectable criteria', 'Name: Grant Thompson', so on and so forth... But at least you're secure, right? Dr/*foo*/op table orders; The simplest obfuscation of the command using basic tools and the function is rendered useless. Conclusion? You're stopping legitimate use and still leaving a wide open door to any hacker willing to put in 30 seconds effort. How long until someone rewrites the current attack pattern and uses the above method to bypass all of the shiny new keyword scanners? Dec/*can't see me*/lare @s = .... That's all without even touching upon encoding. I'm not claiming to have the ideal patch, I'm not even claiming to have been the first to notice these things - posts are on many CF blogs detailing these issues in a far more articulate manner, but I think that advocating simple keyword scanners in this list is irresponsible, bad advice can be worse than no advice at all. All 'senior' CF programmers either do, or should know better. Please note that I mean no offence to anyone on this list (or anywhere else for that matter). Regards, Gabriel ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309560 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4