QueryParam Scanner
QueryParam Scanner is a tool that scans your codebase looking for queries. For every query it finds, it will check if there are any CFML variables in that query that are not contained within a cfqueryparam tag. Once complete, it will display a list of files with queries to be checked.
The latest released version is v0.7.4 which can be downloaded from the Hybridchill Project Download page or from this GitHub page.
There is a release candidate for the next version currently available on GitHub, for further details see this blog entry.
There is also an Eclipse Plugin available - the prefered install method for this is through Eclipse Update, using the URL in the readme file within the download above, however if you want to install manually you can instead download the JAR file.
If you have any problems, questions, or feedback of any sort please use the contact details below.
Requirements
QueryParam Scanner makes use of features that require a Java-based CFMX-compatible engine.
However, it can be run against CFML code written for any engine, including CF5.
The following engines have been tested to ensure compatibility with the current release:
- ColdFusion 9
- Railo 3.x
For the following engines, you will need to use v0.7.3.1, available at GitHub.
- ColdFusion 8
- ColdFusion MX7
- BlueDragon 7
- OpenBD 1.4
- OpenBD 2.0
If you do not have one of these engines to run the tool with, Railo Express is recommended as the fastest way to get going.
Contact
Please send any questions or queries relating to QueryParam Scanner via email to
qpscanner_project
hybridchill.com
Features
The current release (v0.7) of qpScanner has the following features:
- Finds all variables in cfquery without a surrounding cfqueryparam.
- Displays filenames, line number and query contents for all potential risks.
- Ability to scan any directory on local filesystem.
- Option to include/exclude child directories.
- Option to include/exclude ORDER BY clauses.
- Option to list which scopes any variables belong to.
- Option to highlight variables in client scopes.
- Significantly faster processing (compared to v0.6).
- Multiple output formats (HTML, XML, WDDX).
- Ability to override Request Timeout.
- Option to specify file/directory exclusions (regex).
- Option to include/exclude Query of Queries.
- Option to include/exclude built-in CFML functions.
- Eclipse Plugin for easier execution.
Future Features / Wishlist
The following features are scheduled for v0.8:
- Option to auto-insert missing cfqueryparams.
- Ability to specify variable/scope exclusions.
- Improved file/directory exclusions.
- Improved integration with mxUnit and Apache Ant (limited support in v0.7 through XML output).
The following features are on the wishlist, but no guarantees can be given:
- Ability to store/retrieve settings (note: Eclipse Plugin partially offers this facility).
- Smarter type detection, by looking up actual field details from datasources.
- Ability to scan mapped network drives in Windows.
- Ability to validate correct cfqueryparam usage (e.g. lists within paretheses, types used are compatible with database, etc).
If there are any features you want implemented, please let me know.