How do I programmatically sanitize ColdFusion cfquery parameters?

Question

I have inherited a large legacy ColdFusion app. There are hundreds of <cfquery>some sql here #variable#</cfquery> statements that need to be parameterized along the lines of: <cfquery> some sql here <cfqueryparam value="#variable#"/> </cfquery>

How can I go about adding parameterization programmatically?

I have thought about writing some regular expression or sed/awk'y sort of solution, but it seems like somebody somewhere has tackled such a problem. Bonus points awarded for inferring the sql type automatically.

I have not yet had an opportunity to vet http://qpscanner.riaforge.org/, or http://www.webapper.net/index.cfm/2008/7/22/ColdFusion-SQL-Injection. But if one of these two can get sufficient upvotes, perhaps I will not have to, and I can just accept that answer. — Nathan Feger, Sep 17 '08 at 04:03

Joe Zack · Answer 1 · 2011-07-13T21:30:38.937

10

There's a queryparam scanner that will find them for you on RIAForge: http://qpscanner.riaforge.org/

edited Jul 13 '11 at 21:30

answered Sep 15 '08 at 16:41

Joe Zack

3,268
2
31
37

Note: Version 0.8 of QueryParam Scanner will add the ability to auto-fix parameters, but currently it just finds them. – Peter Boughton Sep 15 '08 at 22:26

score 6 · Answer 2 · answered Sep 15 '08 at 17:47

6

There is a script referenced here: http://www.webapper.net/index.cfm/2008/7/22/ColdFusion-SQL-Injection that will do the majority of the heavy lifting for you. All you have to do is check the queries and make sure the syntax will parse properly.

There is no excuse for not using CFQueryParam, apart from it being much more secure, it is a performance boost and the best way to handle quoted values in character based column types.

answered Sep 15 '08 at 17:47

Dan Wilson

126
5

This script is now on github for people to grab and contribute to. https://github.com/mhenke/WebApper-ColdFusion-SQL-Injection – Mike Henke Jul 29 '11 at 15:30

score 3 · Answer 3 · answered Sep 16 '08 at 22:52

Keep in mind that you may not be able to solve everything with <cfqueryparam>.

I've seen a number of examples where the order by field name is being passed in the query string, which is a slightly trickier problem to solve as you need to validate that in a more "manual" way.

betelgeuce · Answer 4 · 2008-09-24T08:59:42.207

1

<cf_inputFilter
            scopes = "FORM,COOKIE,URL"
            chars = "<,>,!,&,|,%,=,(,),',{,}"
            tags="script,embed,applet,object,HTML">

We used this to counteract a recent SQL injection attack. We added it to the Application.cfm file for our site.

edited Sep 24 '08 at 08:59

answered Sep 16 '08 at 14:16

betelgeuce

837
5
18

score 0 · Answer 5 · answered Sep 16 '08 at 15:38

I doubt that there is a solution that will fit your needs exactly. The only option I see is to write your own recursive search that builds a report for you or use one of the apps/scripts that people have listed above. Basically, you are going to have to edit each page or approve all of the automated changes.

How do I programmatically sanitize ColdFusion cfquery parameters?

5 Answers5