QueryParam Scanner

Time to step back and check your work...

Every now and then it's worth taking the time to run a scan tool against your always-growing codebase to make sure you haven't opened up any avenues for a SQL injection attack.

You'd think that after so long and so many repeated warnings we'd all be tighter than tight now and that param-ing our queries would be second nature. This is such an old vulnerability for any webapp and building in fault tolerance from the start should be elementary. For the most part that's absolutely the case...but there are always a few queries that manage to get by without wearing proper protection.

I was a bit surprised at the results after running the QueryParam Scanner tool from RIAForge (thank you, Peter Boughton!) -- until I realized that the tool isn't excluding SQL in a query of queries (dbtype="query") nor is it omitting any values that are being set from an unadulterated CF function (now() is one example). Still, though, it did identify a number of queries that needed a little extra attention just to be truly safe from attack. I highly recommend that you go get it and run it today. You can clean up the mess before you leave work today. This would be an excellent feature to be written as an extension to CFEclipse or (as Rob Brooks-Bilson suggested) integrated into standard CF unit testing suites.

Worth noting is that in many cases (at least for the numeric params) we val the value and set the type on the cfargument tag in all the CFCs all the way down to the DAO level so even without the cfqueryparam tag we're mostly safe. It's those char/varchar fields that require the most attention (complete with trim(), left(), and maxlength checking!) to be considered sufficiently safe.

All of that aside, cfqueryparam alone is a strong first step to protecting your system from a SQL injection attack. Using it reduces the likelihood you'll be wearing egg on your face on Monday morning!