Useful to determine if braces are correctly matched before processing. Helps reduce SQLi.
I was using a version of smartSearch from CFLib.org that I had updated with some simple regex detection for SQLi strings, but it wasn't catching everything. I considered disabling the bracket matching feature and rejecting any query search terms that attempted to use ( or ), but then considered that I should validate so that the feature could still be used since it is beneficial when not being exploited.
I couldn't find any UDFs on CFLib or other ColdFusion/CFML snippets to validate brackets in a string. (If there's existing code, let me know. I wasn't able to find it.) I read a couple recommendations on StackOverflow indicating that it shouldn't be validated using regex, so I wrote a UDF that reduces & validates braces in a string and returns a Boolean response. This allows us to determine whether we can safely use the string when generating a SQL search string (or use 1=0 as a fallback).
Source Code
https://gist.github.com/JamoCA/a35ffaabc00e0339a9996e27825159a7
Top comments (3)
I was about to ask if you were using
cfqueryparamfor your search; but, I just looked at the Smart Search UDF, and it looks like it uses some SQL generation, which somewhat rules-out the parameterization.I use an internally updated version of SmartSearch. I've added logic to identify SQLi and return
1=0if any is detected. (I'm planning on sharing my UDF updates, but will be releasing it on a new CFML resource website that I'm building.)Sounds exciting! Looking forward to seeing what you've got in store.