>1) It protects only against known threats. In order to be excluded we have >to be a step far enough ahead to make sure the pattern is included. >2) It will produce false positives. >3) It is not role or user based. >4) Tend to give a false sense of security.
Just to add to this, in my own testing of the RegEx, I definitely was getting false positives, with just normal text strings (no other characters needed). So I do have some concerns about any long-term use of it, and would caution anyone using it to be aware that it may block more than you intend it to. In my own software, I've modified how it is called so it's only used on the front-end, open-to-the-world part of my software, as if someone gets through the back-end security checks, they certainly don't need to bother with a SQL injection to mess with the database! ;-) The goal here is just mainly to block the request as soon as the invalid strings in any vulnerable scope are detected, and that's essentially what it does, scanning the url, form, cookie and cgi scopes. --- Mary Jo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310614 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4