Wouldn't this also catch words like 'myselection'? Brook
-----Original Message----- From: Matt Quackenbush [mailto:quackfu...@gmail.com] Sent: October-11-11 7:16 AM To: cf-talk Subject: Re: Check for list of words in string Regular expressions. if ( reFindNoCase("(select|declare)",myString) > 0 ) { // at least one of the words is present } HTH On Tue, Oct 11, 2011 at 9:11 AM, Brian Cain <bcc9...@gmail.com> wrote: > > Hello all, > > I would like to check a string against a list of keywords and either > null the string or replace the keywords if found. > > Over the past couple of weeks someone has been probing my sites for > SQL injection vulnerabilities. I have used queryparams and other > types of validation. but I fear I may have missed something. I am > using an old version of formurl2attributes that has been modified over > the years. My thought is to check the attributes list at the end of > the custom tag, and look for some of the common SQL injection keywords > there and mitigate their effectiveness. > > So in short, how do I search for keywords like "select,declare" in a > string without looping over the keywords? > > Thanks, > Brian Cain > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348053 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm