How to programmatically sanitize cfquery ColdFusion settings?

Question

How to programmatically sanitize cfquery ColdFusion settings?

I have inherited the great legacy of ColdFusion. There are hundreds of <cfquery> some sql here # variable # </cfquery> which should be parameterized according to: <cfquery> some sql here <cfqueryparam value = "# variable #" /> </cfquery>

How can parameterization be added programmatically?

I was thinking of writing some kind of regular expression or sed / awk solution, but it seems like someone has handled such a problem somewhere. Bonus points are awarded for automatically detecting the sql type.

+3

coldfusion sql injection cfquery cfqueryparam

Nathan feger 15 sept. '08 at 16:28

source share

5 answers

Joe Zack · Answer 1 · 2008-09-15T16:41:45+0000

queryparam, RIAForge: http://qpscanner.riaforge.org/

Dan Wilson · Answer 2 · 2008-09-15T17:47:53+0000

script: http://www.webapper.net/index.cfm/2008/7/22/ColdFusion-SQL-Injection, . , , , .

, CFQueryParam, , , .

Brooks · Answer 3 · 2008-09-16T22:52:37+0000

, <cfqueryparam> .

, , , "".

betelgeuce · Answer 4 · 2008-09-16T14:16:52+0000

<cf_inputFilter
            scopes = "FORM,COOKIE,URL"
            chars = "<,>,!,&,|,%,=,(,),',{,}"
            tags="script,embed,applet,object,HTML">

We used this to counteract the recent SQL injection attack. We added it to the Application.cfm file for our site.

kooshmoose · Answer 5 · 2008-09-16T15:38:56+0000

I doubt there is a solution that exactly fits your needs. The only option that I see is to write your own recursive search that creates a report for you or uses one of the applications / scripts listed above. Basically, you will have to edit each page or approve all automatic changes.

How to programmatically sanitize cfquery ColdFusion settings?

More articles: