Pete Freitag Pete Freitag

Detecting SQL Injection with ScriptProtect

Published on May 18, 2005
By Pete Freitag
coldfusiondatabases

It occurred to me this morning that ScriptProtect can be a handy feature for globally catching a few forms of SQL Injection Attacks

WARNING - just like its inability to protect against all forms of XSS attacks this solution DOES NOT protect you from all SQL Injection attacks.

You can edit, and add the regular expression patterns for the scriptprotect feature in ColdFusion MX 7 by editing neo-security.xml located in WEB-INF/cfusion/lib. Add the following pattern under the default cross site scripting pattern.

<var name=";.*(select|insert|update|delete|drop|alter|create)">
<string>SQL_INJECTION_ATTEMPT</string>
</var>

I first tried just using a ; as the pattern - but that caused problems with some of the variables in the CGI scope (things like User Agent often have semi-colon's in them). So the pattern now looks for a semi-colon followed by zero or more characters followed by a select, insert, update, delete, drop alter or a create.

Don't expect to catch all possible SQL Injection attacks with this, so don't trust it to stop them. I'm just posting this FYI.



scriptprotect sql injection security coldfusion 7

Detecting SQL Injection with ScriptProtect was first published on May 18, 2005.

If you like reading about scriptprotect, sql injection, security, or coldfusion 7 then you might also like:

Fixinator

The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.


Try Fixinator

CFBreak
The weekly newsletter for the CFML Community


Comments

What happens if this pattern is detected? Does it throw an error you can catch with CFCATCH or just put something in the logs?
by Brian G on 05/19/2005 at 6:32:34 PM UTC
This would be great if it worked. Tried it and it didn't prevent a SQL injection attack. It also caused errors in the CGI scope.
by David S on 10/27/2005 at 5:02:31 PM UTC
I used this instead and it worked great.

\s*(select|insert|update|delete|drop|alter|create)
by matt on 08/22/2007 at 8:41:17 AM UTC