You can use this really nasty regex that I use to sweep for all sorts of attacks:
(<[[:space:]]?/?(script|embed|applet|object|form|layer|ilayer|frame|iframe|f rameset|param|meta|server)[^>]*>?)|(;?[[:space:]]*(((alter|create|drop)[[:sp ace:]]*(database|proc|table|trigger|view|function))|(insert[[:space:]]*into) |(truncate[[:space:]]*table)|(update[[:space:]]*.*set[[:space:]]*.*=)|(delet e[[:space:]]*from)|(select[[:space:]]*\*[[:space:]]*from)))|onabort|onafteru pdate|onbeforeunload|onbeforeupdate|onblur|onbounce|onchange|onclick|ondataa vailable|ondatasetchanged|ondatasetcomplete|ondblclick|ondragdrop|ondragstar t|onerror|onerrorupdate|onfilterchange|onfinish|onfocus|onhelp|onkeydown|onk eypress|onkeyup|onload|onmousedown|onmousemove|onmouseout|onmouseover|onmous eup|onmove|onreadystatechange|onreset|onresize|onrowenter|onrowexit|onscroll |onselect|onselectstart|onstart|onsubmit|onunload|(exec[[:space:]]*xp_cmdshe ll)|([[:space:]](cmd.exe|root.exe|sp_|st_)[[:space:]])|(javascript:)|(vbscri pt:)|(<%) This takes into account the possibility of spaces and such in SQL statements. Of course, I can't guarantee that it catches everything. Matthieu -----Original Message----- From: Brook Davies [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 03, 2002 3:17 PM To: CF-Talk Subject: RE: SQL Injection Attacks (scrubbers cont.) If that is true, you would have to look for more than just the semi-colon. The semi-colon could be used in a legitimate string. I was going to say you could look for ;drop or ;insert etc, but I think there would still be other ways to do damage via SQL. The user could do the semi-colon and then a case statement or something other than the expected drop/delete keyword. At least I think they could do this. At 11:50 AM 03/09/02 -0700, you wrote: >I might be way off here, but wouldn't you just need to screen for >semi-colons? In order to hack a query the user would have to enter a >semi-colon to end the current statement and begin one of their own... > >+-----------------------------------------------+ >Bryan Love > Macromedia Certified Professional > Internet Application Developer > Database Analyst >TeleCommunication Systems >[EMAIL PROTECTED] >+-----------------------------------------------+ > >"...'If there must be trouble, let it be in my day, that my child may have >peace'..." > - Thomas Paine, The American Crisis > > > >-----Original Message----- >From: Brook Davies [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, September 03, 2002 11:54 AM >To: CF-Talk >Subject: SQL Injection Attacks (scrubbers cont.) > > >I have been trying to use the UDF below, which I got from >http://www.cflib.org/udf.cfm?ID=612&enable=0. > >The problem is this UDF will return true whenever a field contains the word >delete, drop, insert etc. Or when it contains a single quote character. >This doesn't really work very well since a user could submit the valid >value: "we'll update the price later and drop by to talk". Which would >return true for an injection attach using this UDF. > >Anybody have any ideas on how we could go about updating this UDF to be bit >more accurate? > > ><cfscript> >/** > * Tests a string, one-dimensional array, or simple struct for possible >SQL injection. > * > * @param input String to check. (Required) > * @return Returns a boolean. > * @author Will Vautrain ([EMAIL PROTECTED]) > * @version 1, July 1, 2002 > */ >function IsSQLInject(input) { > /* > * The SQL-injection strings were used at the suggestion of Chris >Anley >[[EMAIL PROTECTED]] > * in his paper "Advanced SQL Injection In SQL Server Applications" >available for downloat at > * http://www.ngssoftware.com/ > */ > var listSQLInject = "select,insert,update,delete,drop,--,'"; > var arraySQLInject = ListToArray(listSQLInject); > var i = 1; > > for(i=1; i lte arrayLen(arraySQLInject); i=i+1) { > if(findNoCase(arraySQLInject[i], input)) return true; > } > > return false; >} ></cfscript> > > > > ______________________________________________________________________ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
