QueryParam Scanner is a tool that scans your codebase looking for queries. For every query it finds, it will check if there are any CFML variables in that query that are not contained within a cfqueryparam tag. Once complete, it will display a list of files with queries to be checked.
There is also an Eclipse Plugin available - the prefered install method for this is through Eclipse Update, using the URL in the readme file within the download above, however if you want to install manually you can instead download the JAR file.
If you have any problems, questions, or feedback of any sort please use the contact details below.
QueryParam Scanner makes use of features that require a Java-based CFMX-compatible engine.
However, it can be run against CFML code written for any engine, including CF5.
The following engines have been tested to ensure compatibility with the current release:
- ColdFusion 9
- Railo 3.x
For the following engines, you will need to use v0.7.3.1, available at GitHub.
- ColdFusion 8
- ColdFusion MX7
- BlueDragon 7
- OpenBD 1.4
- OpenBD 2.0
If you do not have one of these engines to run the tool with, Railo Express is recommended as the fastest way to get going.
Please send any questions or queries relating to QueryParam Scanner via email to qpscanner_projecthybridchill.com
The current release (v0.7) of qpScanner has the following features:
- Finds all variables in cfquery without a surrounding cfqueryparam.
- Displays filenames, line number and query contents for all potential risks.
- Ability to scan any directory on local filesystem.
- Option to include/exclude child directories.
- Option to include/exclude ORDER BY clauses.
- Option to list which scopes any variables belong to.
- Option to highlight variables in client scopes.
- Significantly faster processing (compared to v0.6).
- Multiple output formats (HTML, XML, WDDX).
- Ability to override Request Timeout.
- Option to specify file/directory exclusions (regex).
- Option to include/exclude Query of Queries.
- Option to include/exclude built-in CFML functions.
- Eclipse Plugin for easier execution.
Future Features / Wishlist
The following features are scheduled for v0.8:
- Option to auto-insert missing cfqueryparams.
- Ability to specify variable/scope exclusions.
- Improved file/directory exclusions.
- Improved integration with mxUnit and Apache Ant (limited support in v0.7 through XML output).
The following features are on the wishlist, but no guarantees can be given:
- Ability to store/retrieve settings (note: Eclipse Plugin partially offers this facility).
- Smarter type detection, by looking up actual field details from datasources.
- Ability to scan mapped network drives in Windows.
- Ability to validate correct cfqueryparam usage (e.g. lists within paretheses, types used are compatible with database, etc).
If there are any features you want implemented, please let me know.