I was using a version of smartSearch from CFLib.org that I had updated with some simple regex detection for SQLi strings, but it wasn't catching everything. I considered disabling the bracket matching feature and rejecting any query search terms that attempted to use
), but then considered that I should validate so that the feature could still be used since it is beneficial when not being exploited.
I couldn't find any UDFs on CFLib or other ColdFusion/CFML snippets to validate brackets in a string. (If there's existing code, let me know. I wasn't able to find it.) I read a couple recommendations on StackOverflow indicating that it shouldn't be validated using regex, so I wrote a UDF that reduces & validates braces in a string and returns a Boolean response. This allows us to determine whether we can safely use the string when generating a SQL search string (or use
1=0 as a fallback).