JamoCA/areBracesValid.cfm

## areBracesValid.cfm
<!--- areBracesValid ColdFusion/CFML UDF (2022-09-16)
Useful to determine if braces are correctly matched before processing. Helps reduce SQLi.
By James Moberg - SunStar Media https://www.sunstarmedia.com/
Gist: https://gist.github.com/JamoCA/a35ffaabc00e0339a9996e27825159a7
Blog: https://dev.to/gamesover/arebracesvalid-udf-for-coldfusioncfml-21fg
Tweet: https://twitter.com/gamesover/status/1570911352138641408
20220918 Updated to use single refind/replaceAll expressions
20221108 Updated to use "while" instead of cfloop/condition (which isn't supported by Lucee in cfscript.)
--->
<cfscript>
boolean function areBracesValid(required string string) hint="Validates if braces are correctly matched" {
	local.string = javacast("string", arguments.string).replaceAll("[^\[\]\{\}\(\)]", "");
	if (!len(local.string)) return true;  // no braces
	if (len(local.string) mod 2) return false; // odd number of braces
	local.bracketFound = 1;
	while (local.bracketFound) {
		local.bracketFound = refind("(\(\))|(\[\])|(\{\})", local.string);
		if (local.bracketFound){
			local.string = local.string.replaceAll("(\(\))|(\[\])|(\{\})", "");
		}
	}
	return (len(local.string)) ? false : true;
}
</cfscript>

## areBracesValid_test.cfm
<cfset tests = [
	"1') AND 5410=3868 AND ('tVgF'='tVgF"
	,"1') AND 3265=DBMS_PIPE.RECEIVE_MESSAGE(CHR(90)||CHR(76)||CHR(98)||CHR(98),5) AND ('wIxt'='wIxt"
	,"(1=0) and (R.ID = 2)"
	,"(([R].[Name] LIKE '%a%') OR ([R].[First] LIKE '%a%') OR ([R].[Last] LIKE '%a%') OR ([R].[Company] LIKE '%a%')) AND (([R].[Name] LIKE '%b%') OR ([R].[First] LIKE '%b%') OR ([R].[Last] LIKE '%b%') OR ([R].[Company] LIKE '%b%')) AND (([R].[Name] LIKE '%c%') OR ([R].[First] LIKE '%c%') OR ([R].[Last] LIKE '%c%') OR ([R].[Company] LIKE '%c%')) AND (([R].[Name] LIKE '%d%') OR ([R].[First] LIKE '%d%') OR ([R].[Last] LIKE '%d%') OR ([R].[Company] LIKE '%d%'))"
]>

<cfoutput>
	<cfloop array="#tests#" index="test">
		<fieldset>
			<legend>#encodeforhtml(test)#</legend>
			VALID = #areBracesValid(test)#
		</fieldset>
	</cfloop>
</cfoutput>
	<!--- areBracesValid ColdFusion/CFML UDF (2022-09-16)
	Useful to determine if braces are correctly matched before processing. Helps reduce SQLi.
	By James Moberg - SunStar Media https://www.sunstarmedia.com/
	Gist: https://gist.github.com/JamoCA/a35ffaabc00e0339a9996e27825159a7
	Blog: https://dev.to/gamesover/arebracesvalid-udf-for-coldfusioncfml-21fg
	Tweet: https://twitter.com/gamesover/status/1570911352138641408
	20220918 Updated to use single refind/replaceAll expressions
	20221108 Updated to use "while" instead of cfloop/condition (which isn't supported by Lucee in cfscript.)
	--->
	<cfscript>
	boolean function areBracesValid(required string string) hint="Validates if braces are correctly matched" {
	local.string = javacast("string", arguments.string).replaceAll("[^\[\]\{\}\(\)]", "");
	if (!len(local.string)) return true; // no braces
	if (len(local.string) mod 2) return false; // odd number of braces
	local.bracketFound = 1;
	while (local.bracketFound) {
	local.bracketFound = refind("(\(\))\|(\[\])\|(\{\})", local.string);
	if (local.bracketFound){
	local.string = local.string.replaceAll("(\(\))\|(\[\])\|(\{\})", "");
	}
	}
	return (len(local.string)) ? false : true;
	}
	</cfscript>
	<cfset tests = [
	"1') AND 5410=3868 AND ('tVgF'='tVgF"
	,"1') AND 3265=DBMS_PIPE.RECEIVE_MESSAGE(CHR(90)\|\|CHR(76)\|\|CHR(98)\|\|CHR(98),5) AND ('wIxt'='wIxt"
	,"(1=0) and (R.ID = 2)"
	,"(([R].[Name] LIKE '%a%') OR ([R].[First] LIKE '%a%') OR ([R].[Last] LIKE '%a%') OR ([R].[Company] LIKE '%a%')) AND (([R].[Name] LIKE '%b%') OR ([R].[First] LIKE '%b%') OR ([R].[Last] LIKE '%b%') OR ([R].[Company] LIKE '%b%')) AND (([R].[Name] LIKE '%c%') OR ([R].[First] LIKE '%c%') OR ([R].[Last] LIKE '%c%') OR ([R].[Company] LIKE '%c%')) AND (([R].[Name] LIKE '%d%') OR ([R].[First] LIKE '%d%') OR ([R].[Last] LIKE '%d%') OR ([R].[Company] LIKE '%d%'))"
	]>

	<cfoutput>
	<cfloop array="#tests#" index="test">
	<fieldset>
	<legend>#encodeforhtml(test)#</legend>
	VALID = #areBracesValid(test)#
	</fieldset>
	</cfloop>
	</cfoutput>