Criticizing someone for negligence is not blaming the victim. If the person who coded the site is so incompetent as not to include a cfqueryparam for any user input that has direct impact on the database, then they deserve to get blamed. What's so difficult about <cfqueryparam cfsqltype="CF_SQL_INTEGER" value="#form.foo#" />
As for going back and finding out where the unprotected queries are, its not that difficult, if you're using CFEclipse, Dan Switzer of pengoworks has written a nice bit of regex to use with the file search. It goes through your project or entire workspace and finds all the queries that need paramed. <cfquery\s[^>]*>([^#]*(((?<!value=")#[^#]*#)))((?<!</cfquery)[^>]*?)</cfquery> There are also a few tools out there (mentioned previously on HOF) that will do the same and produce detailed report. Try them as well. To make it easy, here are links to two of the tools: qpScanner by Peter Boughton (RiaForge) http://www.codersrevolution.com/enclosures/qpscanner7.zip Query Parameterizer by Daryl Banttari http://www.codersrevolution.com/enclosures/_parameterizeQueries.zip Brad Wood has written a good overview of both of these tools: http://www.codersrevolution.com/index.cfm/2008/7/24/Announcing-the-first-ever-International-Operation-cfSQLprotect You've got no excuse now. >Ah. You're from the "blame the victim" school. > >Unfortunately, when I wrote the first 1,000 ColdFusion templates using Ben >Forta's CF 4.0 book, there was no CFQueryParam. So going back and rewriting >all those programs (now well into several thousand) has been a bitch. And >all it took was one missed spot. > >So I shouldn't be mad at the poor little hackers, because they were doing us >all favor by pointing out our faults. That is your school of thought, >right? > >Dave Morris > > >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;203748912;27390454;j Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:310717 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
