>Wouldn't this also catch words like 'myselection'? Yes. \b is your friend. :)
Or possibly even stuff like "(?<=^|;)\s*(?:SELECT|DECLARE|EXEC|etc)\b" to ensure this is stuff at a beginning of a string/statement. But I don't really agree with the general approach here. With cfqueryparam + thorough code reviews + security testing both before and after code goes live, you don't need to worry about this. (And if you want to block frequent blatant attacks from wasting server resources, do it at the firewall level, not the application server level.) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348057 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
