trycf · February 4, 2026 19:08
diff --git a/trycf-gist-1770231999310-fd104c6e-204f-f105-98f2-aaf8801f0484.cfm b/trycf-gist-1770231999310-fd104c6e-204f-f105-98f2-aaf8801f0484.cfm
 <cfscript>
    checkFields = ["test1", "test2"]
    temp = hashasSuspiciousInput();
    public boolean function hasSuspiciousInput( required array checkFields ) {
 		var suspiciousInput = false;
 		var sqlPatterns = getSQLInjecionPatterns();
 		cfloop( array=arguments.checkFields, index="fieldValue" ){
 			if( fieldValue.trim().len() > 0 ) {
 				cfloop( array=sqlPatterns, index="pattern" ){
 					if( reFindNoCase(pattern, fieldValue) ) {
 						suspiciousInput = true;
 						break;
 					}
 				}
 				if ( suspiciousInput ) {
 					break;
 				}
 			}
 		}
 		
 		return suspiciousInput;
 	}
 	public void function blockOnSuspiciousInput( required boolean hasSuspiciousInput, required struct loginData, string failReason ) {
 		
 		if( arguments.hasSuspiciousInput ) {
 			application.loginService.logFailedLogin( argumentCollection=arguments.loginData.append( { failReason: arguments.failReason } ) );
 			location( "/login.asp?nologin=1&sql=1", "false" );
 			abort;
 		}
 	}
 	private array function getSQLInjecionPatterns() {
 		sqlPatterns = [
 			"(\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|EXEC|EXECUTE|UNION|DECLARE|CAST|CONVERT)\b)",
 			"(--|\|\/\*|\*\/)",
 			"(\bOR\b.*=.*)",
 			"(\bAND\b.*=.*)",
 			"(;.*\b(SELECT|INSERT|UPDATE|DELETE|DROP)\b)",
 			"(UPDATEXML|EXTRACTVALUE|XMLTYPE|JSON_KEYS|GTID_SUBSET)",
 			"(UTL_INADDR|DBMS_UTILITY|UTL_HTTP|UTL_FILE)",
 			"(\bROW\s*\()",
 			"(CONCAT\s*\(.*SELECT)",
 			"(\x27|\x22)(\s*)(OR|AND)(\s*)(\x27|\x22)",
 			"(WAITFOR\s+DELAY)",
 			"(BENCHMARK\s*\()",
 			"(SLEEP\s*\()",
 			"(\|\|.*SELECT)",
 			"(CHAR\s*\(\d+\))",
 			"(0x[0-9A-F]+)",
 			"(%27|%22|%2D%2D|%23)"
 		];
 		return sqlPatterns;
 	}
 </cfscript>
	<cfscript>
	checkFields = ["test1", "test2"]
	temp = hashasSuspiciousInput();
	public boolean function hasSuspiciousInput( required array checkFields ) {
	var suspiciousInput = false;
	var sqlPatterns = getSQLInjecionPatterns();
	cfloop( array=arguments.checkFields, index="fieldValue" ){
	if( fieldValue.trim().len() > 0 ) {
	cfloop( array=sqlPatterns, index="pattern" ){
	if( reFindNoCase(pattern, fieldValue) ) {
	suspiciousInput = true;
	break;
	}
	}
	if ( suspiciousInput ) {
	break;
	}
	}
	}

	return suspiciousInput;
	}
	public void function blockOnSuspiciousInput( required boolean hasSuspiciousInput, required struct loginData, string failReason ) {

	if( arguments.hasSuspiciousInput ) {
	application.loginService.logFailedLogin( argumentCollection=arguments.loginData.append( { failReason: arguments.failReason } ) );
	location( "/login.asp?nologin=1&sql=1", "false" );
	abort;
	}
	}
	private array function getSQLInjecionPatterns() {
	sqlPatterns = [
	"(\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP\|CREATE\|ALTER\|EXEC\|EXECUTE\|UNION\|DECLARE\|CAST\|CONVERT)\b)",
	"(--\|\\|\/\\|\\/)",
	"(\bOR\b.=.)",
	"(\bAND\b.=.)",
	"(;.*\b(SELECT\|INSERT\|UPDATE\|DELETE\|DROP)\b)",
	"(UPDATEXML\|EXTRACTVALUE\|XMLTYPE\|JSON_KEYS\|GTID_SUBSET)",
	"(UTL_INADDR\|DBMS_UTILITY\|UTL_HTTP\|UTL_FILE)",
	"(\bROW\s*\()",
	"(CONCAT\s\(.SELECT)",
	"(\x27\|\x22)(\s)(OR\|AND)(\s)(\x27\|\x22)",
	"(WAITFOR\s+DELAY)",
	"(BENCHMARK\s*\()",
	"(SLEEP\s*\()",
	"(\\|\\|.*SELECT)",
	"(CHAR\s*\(\d+\))",
	"(0x[0-9A-F]+)",
	"(%27\|%22\|%2D%2D\|%23)"
	];
	return sqlPatterns;
	}
	</cfscript>
No results found