Excuse me... But why are you checking script_name and Path_info for "EXEC("
.... Both of these are generated on the web server - not sent by the
browser... So I'd be interested to know your reasoning. Also, form elements
are not part of the "query_string" since they are passed in a form "body"
container separate from the header.
If you are looking for a stop gap try the isSQLInject function on cflib.org
(and make sure you add declare, cast and exec to the list). I posted a
snippet on my blog that uses this UDF like so:
<!--- check the URL scope --->
<cfif isDefined('url')>
<cfloop collection="#url#" item="uItem">
<cfif isSQLInject(url[uITem])>
<Cfabort>
... Or whatever action you want.
</cfif>
</cfloop>
</cfif>
<!--- check the FORM scope --->
<cfif isDefined('form')>
<cfloop collection="#form#" item="fItem">
<cfif isSQLInject(form[fITem])>
<Cfabort>
... Or whatever action you want
</cfif>
</cfloop>
</cfif>
Of course if you use cookies inside of queries, or copy stuff to the request
or attributes scope (a la fusebox 2-3) then you might need additional
iterations. In my opinion this is a stop gap measure and should not be used
to 'stand in' for not using bound variables and actual validation routines
based on the form being submitted or url being fetched. You should still
redress the issues with your code in spite of measures like this one. In
addition - looping through available user input scopes can be expensive and
it can result in false positives. If someone submits a comment in a forum
that says they are "Casting about for a solution" or that they "declare the
issue resolved" then these items will be trapped unecessarily by the code
above. If the vars are properly bound however, they will be safely inserted
into the DB as part of the comments.
-Mark
=========== here's the modified UDF ===========
<cfscript>
/**
* Tests a string, one-dimensional array, or simple struct for possible SQL
injection.
*
* @param input String to check. (Required)
* @return Returns a boolean.
* @author Will Vautrain
(vautrain@yaho&
#111;.com)
* @version 1, July 1, 2002
*/
function IsSQLInject(input) {
var listSQLInject =
"cast,exec,execute,sp_executeSQL,revoke,grant,select,insert,update,delete,dr
op,--,'";
var arraySQLInject = ListToArray(listSQLInject);
var i = 1;
for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
if(findNoCase(arraySQLInject[i], input)) return true;
}
return false;
}
</cfscript>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;203748912;27390454;j
Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:309553
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
