with regards to the injection of SQL code and I came up with the following
piece of code on my test rig:
<cfloop collection="#URL#" item="field">
<cfset tmp = REReplaceNoCase(trim(evaluate("URL."& field)),
"\;(.*)(SELECT|DROP|UPDATE|DELETE|TRUNCATE)(.*)$", "", "ALL")>
<cfif CompareNoCase(tmp, trim(evaluate("URL."& field))) NEQ 0>
<cfthrow type="URLCleanser" message="Unsafe data detected in
URL">
</cfif>
</cfloop>
Other than the fact that I haven't added in all the SQL keywords that I
intend to look for, are there any obvious flaws in using this approach to
look for SQL code injections?
I know I can (and I do) use Val() and/or CFQUERYPARAM to validate values
when I'm actually at the point of doing a query but, running this code (or
something like it) before I get anywhere near a query is a far better option
IMO.
Paul
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
