_____
From: Wes [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 15:20
To: CF-Talk
Subject: RE: A script to Prevent SQL Injection: feedback/suggestions?
Last time to attempt to include the code. then I'll stop to prevent
spamming. sorry.
--begin script -
// SQL injection keywords
SQL_exp="[ ;](insert +into.+values|drop +table|create +table)";
// Loop through the FORM fields and rest their values after
filtering them through the above filters.
if (isDefined("FORM.FieldNames")) {
for (i=1;i LTE ListLen(FORM.FieldNames); i = i + 1)
{
thisField = "Form." &
ListGetAt(FORM.FieldNames, i);
thisValue = Evaluate(thisField);
try {
form[thisField] =
ReReplaceNoCase(thisValue,"#SQL_exp#","","ALL");
} catch(Any excpt) {
// Just in case the user has
submited one of those IMAGE type form fields...
}
}
}
// Loop through the URL query string...
if (len(cgi.query_string)) {
for (i=1;i LTE ListLen(cgi.query_string, "&"); i = i
+ 1) {
// for each pair, set the value after
filtering for SQL data.
if (listLen(ListGetAt(cgi.query_string,
i, "&"),"=") EQ 2) {
thisList =
ListGetAt(cgi.query_string, i,"&");
thisField =
ListFirst(thisList, "=");
thisValue =
URLDecode(ListLast(thisList,"="));
url[thisField] =
ReReplaceNoCase(thisValue,"#SQL_exp#","","ALL");
}
}
}
-- end script --
-----Original Message-----
From: Wes [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 10:08 AM
To: CF-Talk
Subject: RE: A script to Prevent SQL Injection: feedback/suggestions?
Hmmm. script did not appear. trying attachment.
-----Original Message-----
From: Robertson-Ravo, Neil (RX)
[mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 9:56 AM
To: CF-Talk
Subject: RE: A script to Prevent SQL Injection: feedback/suggestions?
There are several of these scripts out there.....all seem to do exactly what
this does....its certainly good to see other people are still conscious of
it all!
_____
From: Wes [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 14:58
To: CF-Talk
Subject: A script to Prevent SQL Injection: feedback/suggestions?
The Atlanta CFUG discussed SQL injection at its last meeting. Here is a
script I wrote for removing all SQL injection from FORM and URL scopes. You
could either put this in a file and including it in your Application.CFM or
turn it into a Function and put it in a CFC and Invoke it from the
Application.CFM. With this done, POOF!!, no SQL Injection! At least not
from the FORM or URL scopes.
Test it here: http://www.dynapp.net/_test.cfm
Let me know if you have any feedback or suggestions.
THANKS!!
Wes
See Script Below
_____
_____
_____
_____
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
