Seems there’s a lot of ColdFusion sites out there getting hit by an automated SQL Injection attack, which adds a “<script>” tag to varchar fields using a bit of SQL Server t-sql.
Many years ago, I wrote a script that would find and automatically <cfqueryparam> queries (which has been at Daryl’s ColdFusion Primer. I’ve dug that up and updated it slightly to handle INSERT statements and not parameterize cached queries. (The latter will be highlighted in red.)
(For more information about avoiding SQL Injection in the first place, see my Paranoia 101 page at the aforementioned Primer.)
Place the script (temporarily) in your webroot and run it. It will show you all of the queries in that directory tree and give you checkboxes next to each that will allow you to choose which queries to parameterize. It will also show you what the result of parameterization will look like.
Remember– it’ll show you what it plans to do before it does anything. So you can run it once (and not click the “submit” button) simply to see what files contain unparameterized queries.
This will probably break some queries, especially if you do things like WHERE date > ‘#dateFormat(d)# #timeformat(d)#’ or WHERE NAME LIKE ‘#searchname#%’. USE WITH CAUTION! It’s best to test the changes before moving them into production. Remove the “.old” files once the site is confirmed as working well.