0

I am looking for a tool that will go through my coldfusion code files and add cfqueryparam's where needed. I found many that will scan and show me where I need to make changes but I found one at http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection which is pretty close to what I was looking for, but it doesn't add the cfsqltype (or maxlength). I was wondering if this still prevents sql injection without cfsqltype? If it is required (I know it is technically optional) do you know of another tool that will do this? I believe that it is important to make sure that any variables in the order by clause are parameterized also, which this tool doesn't check for.

I am thinking of buckling down and changing the code from http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection to do all this, but I thought it would be wise to ask first.

Leigh
  • 28,765
  • 10
  • 55
  • 103
Rodney D
  • 11
  • 2
  • Without cfsqltype attribute it would assume cf_sql_varchar. Would still prevent SQL injection as a bound parameter is used instead of a string. Database would have to cast every parameter to the type the database accepts for every column. That might slow everything down. – Bernhard Döbler Apr 29 '16 at 23:37
  • *still prevents sql injection without cfsqltype* Yes, bind variables prevent the "value" from being executed as sql commands. However, you are correct that you should use the appropriate type to avoid the [perils of implicit conversion](http://stackoverflow.com/questions/27049918/coldfusion-parameterizing-a-query/27066113#27066113). *variables in the order by clause are parameterized.. which this tool doesn't check* You cannot parameterize order by (usually). It uses object names, which must be evaluated as sql commands. Bind variables are designed to *prevent* that from happening. – Leigh Apr 29 '16 at 23:39
  • (Edit) *buckling down and changing the code* I do not think that could be done easily. To determine the cfsqltype, the tool would need to parse the SQL for each query, identify all of the tables involved, then query the db metadata to identify the column types and map them to the appropriate cfsqltype. That is a lot harder to do after the fact, with an arbitrary query. RE: *would assume cf_sql_varchar* Well technically `cf_sql_char`, but yep.. essentially it defaults to a string type :) – Leigh Apr 29 '16 at 23:51
  • 1
    You would have to be very brave to blindly change code like that and not test it. If you can find all the instances, I suggest looking at them, deciding what you have to do, and test your work. – Dan Bracuk Apr 30 '16 at 02:47

1 Answers1

2

Use either that tool or QPScanner to scan your code base and find queries with missing cfqueryparm or missing cfprocparam.

Once you find them, MANUALLY UPDATE AND TEST EVERY INSTANCE.

Don't cross your fingers and hope things work themselves out.

I've been through this process a number of times and I can guarantee that you should take your time updating the code correctly..

Community
  • 1
  • 1
Adrian J. Moreno
  • 14,350
  • 1
  • 37
  • 44