Pete, Gabriel Reed and Mary Jo Sminkey created a decent regex and script that does a good job.
http://www.coldfusionmuse.com/index.cfm/2008/7/28/Coldfusion-Blacklist-Funct ion-for-SQLi It uses a native java regex pattern matcher for effeciency - meaning it will work only on cf 6.x or above. Mary Jo wrapped it up in an include file here: http://www.cfwebstore.com/index.cfm?fuseaction=page.download&downloadID=18 This file can be dropped into a cfapplication.cfm file (note: it must come AFTER the <cfapplication> tag or you will need to edit it to not use the application scope). Also please note that using a black list function should be considered a first line of defence and not a solution. It has several weaknesses including: 1) It protects only against known threats. In order to be excluded we have to be a step far enough ahead to make sure the pattern is included. 2) It will produce false positives. 3) It is not role or user based. 4) Tend to give a false sense of security. Validation, DB permissions and congurations, and binding (cfqp) are all important factors in protecting against injection. I have to say that I'm watching this unfold and a lot of effort is going into sticking our finger in the dike with blacklisting techniques instead of laying out roadmaps for improving code. Yes I know - some code has thousands of queries and it is boring (not to mention thankless) to laboriously insert cfqueryparam into query after query. But that is a major part of the "fix" - indeed a bigger part of the fix than any blacklisting technique we can devise together. Having said all of that, at this moment I completely understand the urgency to stop the attack by the shortest means possible. In fact, the frequency of these attacks is causing a denial of service effect for sites with a ton of ..cfm pages indexed - so stopping the attack before it get's to the meat of your code is important. My blog, for example, got thousands of attacks overnight. All of them "reached" the database and failed - but that doesn't mean I'm just going to let them keep on hitting the DB. I put in my blocker script to intercept the requests and abort them before they ever get to the DB. Recent efforts have gone further up the request chain and focused on ISAPI rewrite and Mod_rewrite (http://www.coldfusionmuse.com/index.cfm/2008/8/8/isapi-rewrite-rule-prevent s-sql-injection) with the idea that these spurious requests should be intercepted and handled prior to reaching the Coldfusion server altogether. In this situation I am in favor of such efforts in spite of the general catch-all nature - at least until the frequency of such attacks dies down. -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310594 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
