Portcullis 2.0 released
Finally took some time to fix a few items in Portcullis that were bugging me. If you haven't heard of Portcullis or aren't currently using it, it is a ColdFusion component designed to help block and log SQL injection and Cross-site scripting (XSS) attacks. It's pretty widely used and will be included in the 3.2 release of the popular ColdFusion MVC framework - Model-Glue.
You can download it at http://portcullis.riaforge.org
The new Portcullis filter has a number of new features.
Context Aware SQL Command Word Filtering, this is a long term to describe a fairly simple problem. Many of the common sql commands words are used in everyday speech like 'select' and 'alter'. In the old version of Portcullis, you could get some annoying false-positives like 'firstname=walter' being changed to 'firstname=w[INVALID]'. The new filter is now looking for the context or use of the command word. So 'drop me from this list' will not get filtered but 'drop table users' will.
Accessors, you can now dynamically configure Portcullis through either the init() or setSettings() methods. This can allow people to dynamically alter Portcullis settings as they need it as if it were running in various 'modes'. The default settings are still within the CFC, but they can now be override them as needed.
For example, in creating an instance of Portcullis you can now do something like the following..
<cfset settings = StructNew()/>
<cfset settings.log = true/>
<cfset settings.ipBlock = false/>
<cfset settings.sqlFilter = "select,insert,update,delete,drop,alter,declare,execute"/>
<cfset request.Portcullis = createObject("component","Portcullis").init(settings)/>
And as always, the default keyword lists have been updated with some new items to search for.
If you're not using Portcullis yet, I can only say it has saved a lot of developers their time and possibly their jobs. I know some people use AntiSamy which is a simple Java based filter, but frankly it doesn't do very much in my opinion. The cool thing about Portcullis is it's written entirely in CFML so its easy to install, manage and maintain. It will also work across all the known CFML engines.
Warning - jumping on my Soapbox :)
Most ColdFusion web developers are now finally using cfqueryparam, it has taken about 10 years since that tag was introduced but I guess better late than never. Keep in mind, that cfqueryparam prevents most forms of SQL injection but not all. It also does nothing to cross-site scripting (XSS) attacks. It doesn't matter how small your site is or where it's hosted, it will experience these attack vectors. Portcullis takes maybe 5 minutes to install and configure. Nothing is perfect, but Portcullis has a solid track record - just google it. So, there's simply no reason I can think of where a ColdFusion based site shouldn't use it.