CFLib.org – Common Function Library Project

IsSQLInject(input)

Last updated July 1, 2002

Version: 1 | Requires: ColdFusion 5 | Library: DatabaseLib

 
Rated 14 time(s). Average Rating: 2.1

Description:
This security-related function is intended to test for strings that users intentionally or otherwise may pass in form fields that may cause SQL injection to occur. SQL injection is an event in which a malicious or unknowing user inserts arbitrary SQL statements into queries without the knowledge of the programmer. This UDF mainly relates to those using SQLServer, I am not sure if the test I use protects against the same vulnerabilities on other database platforms.

Return Values:
Returns a boolean.

Example:

view plain print about
<cfset sqlString1 = "Chicken soup with rice">
<cfset sqlString2 = "Chicken soup with' drop table soups--">

<cfoutput>
sqlString1 = #sqlString1# IsSQLInject? #IsSQLInject(sqlString1)#<br>
sqlString2 = #sqlString2# IsSQLInject? #IsSQLInject(sqlString2)#<br>
</cfoutput>

Parameters:

Name Description Required
input String to check. Yes

Full UDF Source:

view plain print about
<cfscript>
/**
 * Tests a string, one-dimensional array, or simple struct for possible SQL injection.
 * 
 * @param input      String to check. (Required)
 * @return Returns a boolean. 
 * @author Will Vautrain (vautrain@yahoo.com) 
 * @version 1, July 1, 2002 
 */

function IsSQLInject(input) {
    /*
    * The SQL-injection strings were used at the suggestion of Chris Anley [chris@ngssoftware.com]
    * in his paper "Advanced SQL Injection In SQL Server Applications" available for downloat at
    * http://www.ngssoftware.com/
    */

    var listSQLInject = "select,insert,update,delete,drop,--,'";
    var arraySQLInject = ListToArray(listSQLInject);
    var i = 1;
    
    for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
        if(findNoCase(arraySQLInject[i], input)) return true;
    }
    
    return false;
}
</cfscript>
blog comments powered by Disqus

Search CFLib.org


Latest Additions

Adam Cameron Adam Cameron added
createPrimeNumbe...
13 day(s) ago

Ray Ford Ray Ford added
timeZoneNow
28 day(s) ago

Henry Ho Henry Ho added
queryExecute
a while ago

Rick Root Rick Root added
deleteDirectory
a while ago

Top Rated

Darwan Leonardo Sitepu backupDatabase
Rated 5.0, 48 time(s)

Barney Boisvert indentXml
Rated 5.0, 12 time(s)

Rachel Lehman deAccent
Rated 5.0, 9 time(s)

Darwan Leonardo Sitepu splitNumber
Rated 5.0, 8 time(s)

Created by Raymond Camden / Design by Justin Johnson