I might be way off here, but wouldn't you just need to screen for
semi-colons? In order to hack a query the user would have to enter a
semi-colon to end the current statement and begin one of their own...
+-----------------------------------------------+
Bryan Love
Macromedia Certified Professional
Internet Application Developer
Database Analyst
TeleCommunication Systems
[EMAIL PROTECTED]
+-----------------------------------------------+
"...'If there must be trouble, let it be in my day, that my child may have
peace'..."
- Thomas Paine, The American Crisis
-----Original Message-----
From: Brook Davies [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 03, 2002 11:54 AM
To: CF-Talk
Subject: SQL Injection Attacks (scrubbers cont.)
I have been trying to use the UDF below, which I got from
http://www.cflib.org/udf.cfm?ID=612&enable=0.
The problem is this UDF will return true whenever a field contains the word
delete, drop, insert etc. Or when it contains a single quote character.
This doesn't really work very well since a user could submit the valid
value: "we'll update the price later and drop by to talk". Which would
return true for an injection attach using this UDF.
Anybody have any ideas on how we could go about updating this UDF to be bit
more accurate?
<cfscript>
/**
* Tests a string, one-dimensional array, or simple struct for possible
SQL injection.
*
* @param input String to check. (Required)
* @return Returns a boolean.
* @author Will Vautrain ([EMAIL PROTECTED])
* @version 1, July 1, 2002
*/
function IsSQLInject(input) {
/*
* The SQL-injection strings were used at the suggestion of Chris
Anley
[[EMAIL PROTECTED]]
* in his paper "Advanced SQL Injection In SQL Server Applications"
available for downloat at
* http://www.ngssoftware.com/
*/
var listSQLInject = "select,insert,update,delete,drop,--,'";
var arraySQLInject = ListToArray(listSQLInject);
var i = 1;
for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
if(findNoCase(arraySQLInject[i], input)) return true;
}
return false;
}
</cfscript>
______________________________________________________________________
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
