RE: A script to Prevent SQL Injection: feedback/suggestions?

Thu, 22 Jul 2004 07:21:47 -0700

Last time to attempt to include the code. then I'll stop to prevent
spamming. sorry.

--begin script -

            // SQL injection keywords

            SQL_exp="[ ;](insert +into.+values|drop +table|create +table)";

            

            // Loop through the FORM fields and rest their values after
filtering them through the above filters.

            if (isDefined("FORM.FieldNames")) {

                        for (i=1;i LTE ListLen(FORM.FieldNames); i = i + 1)
{

                                    thisField = "Form." &
ListGetAt(FORM.FieldNames, i);

                                    thisValue = Evaluate(thisField);

                                    try {

                                                form[thisField] =
ReReplaceNoCase(thisValue,"#SQL_exp#","","ALL");

                                    } catch(Any excpt) {

                                                // Just in case the user has
submited one of those IMAGE type form fields...

                                    }

                        }

            }

            

            // Loop through the URL query string...

            if (len(cgi.query_string)) {

                        for (i=1;i LTE ListLen(cgi.query_string, "&"); i = i
+ 1) {

                                    // for each pair, set the value after
filtering for SQL data.

                                    if (listLen(ListGetAt(cgi.query_string,
i, "&"),"=") EQ 2) {

                                                thisList =
ListGetAt(cgi.query_string, i,"&");

                                                thisField =
ListFirst(thisList, "=");

                                                thisValue =
URLDecode(ListLast(thisList,"="));

                                                url[thisField] =
ReReplaceNoCase(thisValue,"#SQL_exp#","","ALL");

                                    }

                        }

            }

-- end script --

-----Original Message-----
From: Wes [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 10:08 AM
To: CF-Talk
Subject: RE: A script to Prevent SQL Injection: feedback/suggestions?

Hmmm. script did not appear. trying attachment.

-----Original Message-----
From: Robertson-Ravo, Neil (RX)
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 9:56 AM
To: CF-Talk
Subject: RE: A script to Prevent SQL Injection: feedback/suggestions?

There are several of these scripts out there.....all seem to do exactly what
this does....its certainly good to see other people are still conscious of
it all!

   _____  

From: Wes [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 14:58
To: CF-Talk
Subject: A script to Prevent SQL Injection: feedback/suggestions?

The Atlanta CFUG discussed SQL injection at its last meeting.  Here is a
script I wrote for removing all SQL injection from FORM and URL scopes.  You
could either put this in a file and including it in your Application.CFM or
turn it into a Function and put it in a CFC and Invoke it from the
Application.CFM.  With this done, POOF!!, no SQL Injection!  At least not
from the FORM or URL scopes.

Test it here: http://www.dynapp.net/_test.cfm

Let me know if you have any feedback or suggestions.

THANKS!!

Wes

See Script Below

   _____

  _____

  _____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]

Reply via email to