Jul 24 2008
ColdFusion, Security, SQL
Tuesday I blogged Peter Boughton's QueryParam Scanner from RiaForge. Today I'm taking a look at Daryl Banttari's Query Parameterizing tool. Daryl's scanner has an interesting twist. Not only does it find unparameterized queries, it will automatically FIX them FOR you! Daryl Banttari works for WebApper and is part of the genius behind SeeFusionHere's the highlights of Daryl's script:
- It's a single stand alone .cfm file
- It will (optionally) drill down recursively from its current location and scan all CFML for cfquery tags with missing cfqueryparam tags
- It automatically skips files starting with an underscore, and folders starting with a period
- The tool gives you the option to check a box next to the queries you want to automatically fix, and submit the form. It will then edit each of those files and wrap your parameters in a cfqueryparam tag!
- It backs up the old file for you in case to need to roll back (test.cfm.old)
- In general the only attribute it uses for the cfqueryparam tag is value, but it will add cfsqltype="CF_SQL_TIMESTAMP" if the column name contains the word "date", or the parameter contains "now()"
- It runs out-of-the-box on Windows, but has some slash problems on Linux. I was getting some interesting paths (which errored) like /var/wwwroot/bradwood_com/\test.cfm
- By default it only scans .cfm files, not .cfc or .cfml files
- The interface is pretty basic and doesn't allow you to collapse anything forcing you to scroll through a LOT of text
- Unlike Peter's script, it does not have an option to search for ColdFusion variables in the order by clause (which technically aren't parameters, but they ARE very dangerous)
- The date guessing logic will get confused if you have a column name like "update"
- There is no interface to configure options. They are controlled by editing some variable at the top of the script
- Peter's script will let you choose ANY folder on your server to scan while Daryl's will only scan the folder it resides in
[code]<CFDIRECTORY Action="List" Directory="#CurDir#" Name="Dir" Filter="*.cfm"> [/code]To the following:
[code]<CFDIRECTORY Action="List" Directory="#CurDir#" Name="Dir" Filter="*.cfm|*.cfc|*.cfml"> [/code]Well people, the only way this could get any easier for you would be for a little gnome to climb into your server and fix all your cfqueries for you. If you want to try out Daryl's scanner, a download link is found at this WebApper blog entry . Also, on a side note-- I scanned BlogCFC version 5.9.004 and it came out squeaky clean. There were a couple false alarms but they turned out to be query of queries. Go Ray!