Hi Alan! Thanks for all the help! I found this article about sql injections, which recommnds adding a script to the application.cfm file to check form/url variables. My only question is if it would be better to hard code the checks into each query and script vs a general scrip that's basically ran every process. Seems performance would be better if the checks were done individually.
Here is the code they recommend: http://coldfusion.sys-con.com/node/620373 <!--- CREATE SQL REGULAR EXPRESSION---> <cfset sqlregex = " (SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)| (UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)| (INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)| (DELETE\sFROM\s[\d\w\'\=]+)| (DROP\sTABLE\s[\d\w\'\=]+)"> <!--- CHECK FORM VARIABLES ---> <cfloop collection="#form#" item="formelement"> <cfif isSimpleValue(evaluate(formelement)) AND refindnocase (sqlregex, "#evaluate(formelement)#")> <cflocation url="messages.cfm?message=Invalid Input. Possible SQL Injection attack."> <cfset StructClear(form)> <cfabort> </cfif> </cfloop> <!--- CHECK URL VARIABLES ---> <cfloop collection="#url#" item="formelement"> <cfif isSimpleValue(evaluate(formelement)) AND refindnocase (sqlregex, "#evaluate(formelement)#")> <cflocation url="messages.cfm?message=Invalid Input. Possible SQL Injection attack."> <cfset StructClear(url)> <cfabort> </cfif> </cfloop> --~--~---------~--~----~------------~-------~--~----~ Open BlueDragon Public Mailing List http://groups.google.com/group/openbd?hl=en official site @ http://www.openbluedragon.org/ !! save a network - trim replies before posting !! -~----------~----~----~----~------~----~------~--~---
