Loving QueryParam Scanner

When the recent spat of SQL Injection attacks starting hitting the ColdFusion community recently, I actually felt pretty safe. I thought to myself, "I have been using <cfqueryparam> for years. Every query that I have written since before I started working for myself has been safe from SQL injection attacks."


Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Thanks Steve! :)

I have now released v0.7 which (amongst other things), adds an "ignore built-in functions" option which prevents false positives like #Val(...)# and similar.

Also, I think I made it display the queries by default now, so they are not hidden like before.
# Posted By Peter Boughton | 9/23/08 12:23 PM

Those enhancements look great! If I were going to ask for any improvements, those would be the ones I would request.

Thanks for your hard work!
# Posted By Steve Bryant | 9/23/08 1:38 PM
The QueryParam scanner is a great tool.

May I request one enhancement to it?
I wish there were a way to make it ignore the commented code.
# Posted By Jalpesh Patel | 9/3/10 9:14 AM
BlogCFC was created by Raymond Camden. This blog is running version 5.8.001.