This April, Peter Boughton put a little tool on RiaForge called QueryParam Scanner. It does what it says and that means you have no excuse not to batten down the hatches on that old code you've got swept under the rug. It also meant I didn't have any excuses either, so I gave it a run tonight.
Whether you wrote it or not, everyone probably has some old code laying around that doesn't use cfqueryparam to protect its cfqueries. I had some ancient stuff. Like, CF 4.5 days. I'm talking pound signs in my cfif statements! In light of the sweeping SQL injection attacks making their rounds recently I think it is very appropriate to bring this to attention.
The cfqueryparam tag in ColdFusion has several purposes.
- Built-in data type checking
- Separates SQL code from parameters
- This encourages your DBMS to cached a reusable execution plan which can improve performance
- It guarantees that parameter values will NEVER spill over into the SQL to be accidentally executed.
- That means your cfquery is immune to pretty much most SQL injection attacks.
We may have gotten away with security through obscurity in the past, but consider this your call to arms. Hackers are getting clever and very persistent and your site will see hack attempts if it hasn't already. There is a whole list of things you can do to protect your database, but I won't go into all that now. I'll suffice it to say that the MOST useful thing you can spend your time on right now is by going through ANY public facing code and making sure that every single ColdFusion variable in a cfquery is safely wrapped in cfqueryparam.
So, back to the QueryParam Scanner. I downloaded it from RiaForge and unzipped its contents into my web root. It is self-contained, and doesn't require any special mappings or data sources to work. Simply navigate to the folder you unzipped everything into. Minimally you just need to provide an absolute path to a folder to search. At first I was having problems, but then I realized I was just retarded, and had my slashes backwards. Once I got the path correct, the program fired up and began pointing out all my vulnerable cfqueries. I edited the files one-by-one and re-ran the scanner until everything was gone. Yeah, it was a bit of a pain, but I feel so much better after cleaning up that old stuff.
You can put checks in, filter IP addresses, and search for certain words in your query string, but PLEASE use cfqueryparam. It really is the only way to be sure since SQL injection attacks can come in many forms from many IPs. You don't have any excuse now.