> Good effort... It does not check the form scope however - or CGI Since nearly all SQL injection attempts come through the URL (including the recent ones), that is where I put the focus. With this script I would not recommend checking the form scope as there is too high a risk of false positives. I've never heard of an injection attack coming through CGI variables. I suppose it's possible, but the percentage of queries using CGI scope data is probably minuscule compared to URL variables.
> As has been pointed out, a blacklist function like this one will > result a good number of false positives for items that are legitimate. I would replace "will" with "may" in that statement, and then agree. We've been using this internally for years without any false positives (yet). > Also note that not every DB platforms require a semi-colon for > end of statement. Some of them allow for line breaks for > example (at least in the default installation). Ours was designed for SQL Server; perhaps I should have pointed that out earlier. I'll reiterate against that it's not meant as a guaranteed SQL injection stopper, just a quick way to provide a first line defense while you patch up your queries properly. -Justin Scott ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310426 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
