– Common Function Library Project


Last updated July 1, 2002


Will Vautrain

Version: 1 | Requires: CF5 | Library: DatabaseLib

This security-related function is intended to test for strings that users intentionally or otherwise may pass in form fields that may cause SQL injection to occur. SQL injection is an event in which a malicious or unknowing user inserts arbitrary SQL statements into queries without the knowledge of the programmer. This UDF mainly relates to those using SQLServer, I am not sure if the test I use protects against the same vulnerabilities on other database platforms.

Return Values:
Returns a boolean.


<cfset sqlString1 = "Chicken soup with rice">
<cfset sqlString2 = "Chicken soup with' drop table soups--">

sqlString1 = #sqlString1# IsSQLInject? #IsSQLInject(sqlString1)#<br>
sqlString2 = #sqlString2# IsSQLInject? #IsSQLInject(sqlString2)#<br>


Name Description Required
input String to check. Yes

Full UDF Source:

 * Tests a string, one-dimensional array, or simple struct for possible SQL injection.
 * @param input 	 String to check. (Required)
 * @return Returns a boolean. 
 * @author Will Vautrain ( 
 * @version 1, July 1, 2002 
function IsSQLInject(input) {
	* The SQL-injection strings were used at the suggestion of Chris Anley []
	* in his paper "Advanced SQL Injection In SQL Server Applications" available for downloat at
	var listSQLInject = "select,insert,update,delete,drop,--,'";
	var arraySQLInject = ListToArray(listSQLInject);
	var i = 1;
	for(i=1; i lte arrayLen(arraySQLInject); i=i+1) {
		if(findNoCase(arraySQLInject[i], input)) return true;
	return false;
blog comments powered by Disqus


Latest Additions

Gary Stanton added
November 19, 2015

Sebastiaan Naafs - van Dijk added
November 13, 2015

Simon Bingham added
April 15, 2015

Umbrae added
February 11, 2015

Mosh Teitelbaum added
January 8, 2015

Created by Raymond Camden / Design by Justin Johnson