• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

cfqueryparam tool

New Here ,
Apr 29, 2016 Apr 29, 2016

Copy link to clipboard

Copied

I am looking for a tool that will go through my coldfusion code and add cfqueryparam's where needed. I found many that will scan and show me where I need to make changes but I found one at http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection which is pretty close to what I was looking for. But it doesn't add the cfsqltype (or maxlength) and I was wondering if this still prevents sql injection without cfsqltype? And if it is required (I know it is technically optional) do you know of another tool that will do this? I also read that it is also important to make sure that any variables in the order by clause are parameterized also, which this tool doesn't check for.

I am thinking of buckling down and changing the code from http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection to do all this, but I thought it would be wise to ask first.

Views

246

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
May 01, 2016 May 01, 2016

Copy link to clipboard

Copied

From what I have read, the tools may be inaccurate. I would suggest buckling down and doing the hard work instead.

Do an extended search in your text editor for <cfquery. Proceed systematically per directory. Make a record of the files found and the relevant line numbers.

Then go through the list, one by one, adding the cfqueryparam tags where necessary. In the end you will be confident that your code has mitigated the security risks the way you want.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
May 02, 2016 May 02, 2016

Copy link to clipboard

Copied

LATEST

I have to agree with BKBK​.  It may be a pain, esp if you have hundreds of files that contain queries.  But it's the best way to make sure you've got all of them covered, and you don't have to risk some third-party tool screwing up your code.  It can happen.

V/r,

^_^

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation