Now I'm rubbish at Regex, but how about a simple one:
Which should (untested) give you the word "select" with anything other than a letter before or after it.
tnx Owain. have tried in a test as:
<cfset myfield = " the selection is">
<cfif (ListContainsNoCase(myfield, "[^a-z]SELECT[^a-z]"))>
and does not seem to be working. i have tried also variations on theme to no effect
Try it with ReFindNoCase.
As Dan says, make sure you're not using a case sensitive search, these hackers can sometimes be inconsiderate and not keep to strict grammar rules
I've had a play with my Regex tester, this one definitely works:
Word boundary, followed by at least one select, update or insert, then followed by a word boundary.
Obviously, the right way (if you will...) to solve this kind of problem is: <cfqueryparam>.
In other words... never allow user-contributed text to appear, in any form or under any circumstances, within an SQL query that ColdFusion ever presents to the server. The one and only way that such text should appear is: as a parameter.
An SQL server will never interpret a query-parameter as possibly being part of the SQL string. It will have already parsed the SQL text, already generated the execution plan, and be ready to execute it. The string, no matter what it may contain, will only be interpreted as "character data."
Every "injection attack," no matter what flavor it is, always relies upon mis-interpretation and/or mis-handling of the data that is being "injected." But there are always ways to prevent this.
It's unfortunate that the ColdFusion language has no notion of Perl's "taint mode," which actually flags individual data-values(!) as "potentially tainted" as they flow through the system.
TLC-IT's point is valid in that SQL injection attacks thrive on misinterpreted statements - you should use cfqueryparam religiously!