Justin, Good effort... It does not check the form scope however - or CGI (a rarely used but still vulnerable scope). As has been pointed out, a blacklist function like this one will result a good number of false positives for items that are legitimate. Also note that not every DB platforms require a semi-colon for end of statement. Some of them allow for line breaks for example (at least in the default installation).
-Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Justin Scott [mailto:[EMAIL PROTECTED] Sent: Thursday, August 07, 2008 12:36 PM To: CF-Talk Subject: Re: HELP! SQL Injection Attack! > And yes, I'd like to see the URL "loop" script that was offered by > Justin Scott I've had many requests for the SQL injection prevention script, so I'm just going to post a URL directly to the code and release it into the public domain for anyone interested: http://www.gravityfree.com/_sqlprev.cfm.txt -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310423 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
