Thanks Matt. I'm going to go the application.VariableName route and
just update my code accordingly.
In my Application.cfm, I've had a chunk of code that ran every request
that would check to see if a form was submitted, or if URL variable
was present, and it'd parse that data looking for potential SQL
injections. I picked this up from someone on here several years ago,
so 1) I'm unsure how modern this is and 2) I'm unsure how to apply
this to the Application.CFC
How would I insert this into the Application.cfc ?
<!--- CREATE SQL REGULAR EXPRESSION--->
<cfset sqlregex = "
(SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
(UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
(INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
(DELETE\sFROM\s[\d\w\'\=]+)|
(DROP\sTABLE\s[\d\w\'\=]+)">
<!--- CHECK form VARIABLES --->
<cfloop collection="#form#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) and
reFindNoCase(sqlregex, "#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input.
Possible SQL Injection attack.">
<cfset StructClear(form)>
<cfabort>
</cfif>
</cfloop>
<!--- CHECK URL VARIABLES --->
<cfloop collection="#url#" item="formelement">
<cfif isSimpleValue(evaluate(formelement)) and reFindNoCase(sqlregex,
"#evaluate(formelement)#")>
<cflocation url="messages.cfm?message=Invalid Input. Possible SQL
Injection attack.">
<cfset StructClear(url)>
<cfabort>
</cfif>
</cfloop>
--
online documentation: http://openbd.org/manual/
http://groups.google.com/group/openbd?hl=en
