cfqueryparam tool

Question

I am looking for a tool that will go through my coldfusion code and add cfqueryparam's where needed. I found many that will scan and show me where I need to make changes but I found one at http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection which is pretty close to what I was looking for. But it doesn't add the cfsqltype (or maxlength) and I was wondering if this still prevents sql injection without cfsqltype? And if it is required (I know it is technically optional) do you know of another tool that will do this? I also read that it is also important to make sure that any variables in the order by clause are parameterized also, which this tool doesn't check for.

I am thinking of buckling down and changing the code from http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection to do all this, but I thought it would be wise to ask first.

BKBK · Answer

From what I have read, the tools may be inaccurate. I would suggest buckling down and doing the hard work instead.

Do an extended search in your text editor for <cfquery. Proceed systematically per directory. Make a record of the files found and the relevant line numbers.

Then go through the list, one by one, adding the cfqueryparam tags where necessary. In the end you will be confident that your code has mitigated the security risks the way you want.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded