DEV Community

Cover image for areBracesValid UDF for ColdFusion/CFML
James Moberg
James Moberg

Posted on

areBracesValid UDF for ColdFusion/CFML

Useful to determine if braces are correctly matched before processing. Helps reduce SQLi.

I was using a version of smartSearch from CFLib.org that I had updated with some simple regex detection for SQLi strings, but it wasn't catching everything. I considered disabling the bracket matching feature and rejecting any query search terms that attempted to use ( or ), but then considered that I should validate so that the feature could still be used since it is beneficial when not being exploited.

I couldn't find any UDFs on CFLib or other ColdFusion/CFML snippets to validate brackets in a string. (If there's existing code, let me know. I wasn't able to find it.) I read a couple recommendations on StackOverflow indicating that it shouldn't be validated using regex, so I wrote a UDF that reduces & validates braces in a string and returns a Boolean response. This allows us to determine whether we can safely use the string when generating a SQL search string (or use 1=0 as a fallback).

Source Code

https://gist.github.com/JamoCA/a35ffaabc00e0339a9996e27825159a7

Top comments (3)

Collapse
 
bennadel profile image
Ben Nadel

I was about to ask if you were using cfqueryparam for your search; but, I just looked at the Smart Search UDF, and it looks like it uses some SQL generation, which somewhat rules-out the parameterization.

Collapse
 
gamesover profile image
James Moberg

I use an internally updated version of SmartSearch. I've added logic to identify SQLi and return 1=0 if any is detected. (I'm planning on sharing my UDF updates, but will be releasing it on a new CFML resource website that I'm building.)

Collapse
 
bennadel profile image
Ben Nadel

Sounds exciting! Looking forward to seeing what you've got in store.