Comments on: ColdFusion SQL Injection

By: Shannon Hicks

Shannon Hicks — Tue, 21 Jul 2009 20:38:02 +0000

I just checked, and it seems to work. Just remove the .html to make it into a cfm file.

By: Charles Fahey

Charles Fahey — Sat, 11 Jul 2009 21:14:11 +0000

Is this still available? The download link doesn’t work.

Thanks!

By: Sam Singer

Sam Singer — Tue, 12 Aug 2008 00:00:00 +0000

Will this run on os x?

By: John Fitzgerald

John Fitzgerald — Mon, 04 Aug 2008 00:00:00 +0000

You are a God! Totally saved me hours. Thanks!

By: Jeremy Kay

Jeremy Kay — Tue, 29 Jul 2008 00:00:00 +0000

I love this app!

But, any reason it uses the default "CF_SQL_CHAR"?

I’m using MSSQL and most of my ‘text’ fields are nvarchar. So am I correct that I need to set it to "CF_SQL_VARCHAR"? Is there any way to change this to be the defualt value? Thanks!

By: Jeremy Kay

Jeremy Kay — Tue, 29 Jul 2008 00:00:00 +0000

I have set up the app to leave everything UNchecked. I then check ONE query to update and it will update 2 or 3 pages…
I’ve looked at the code and it seems that there is an error with the ‘hash’ part in the checkbox. It will repeat the same hash multiple times.

Has anyone else had this problem?

By: duncan

duncan — Thu, 24 Jul 2008 00:00:00 +0000

What about changing it to also scan .cfc files?

By: duncan

duncan — Thu, 24 Jul 2008 00:00:00 +0000

Also doesn’t seem to work where a query would have a LIKE in it, e.g.
WHERE name like ‘#form.name#%’

By: Brad Wood

Brad Wood — Thu, 24 Jul 2008 00:00:00 +0000

Duncan, I have already blogged a fix to make it scan .cfm, .cfml, and .cfc files.
http://www.codersrevolution.com/index.cfm/2008/7/24/Parameterize-your-queries-without-lifting-a-finger

If you successfully implement a change to get it to properly recognize the like systax let me know. I would like to clean up the interface a little bit. I don’t know if Daryl has any time to assist with this. Perhaps he will chime in and let us know.

By: Dan G. Switzer, II

Dan G. Switzer, II — Thu, 24 Jul 2008 00:00:00 +0000

I was having problems with the script doing weird things do to the logic used to find the open CFQUERY tag. On one template, I was just getting thousands of lines that read: [cfqueryparam /] (with greater than/less than in place of brackets.)

So, I changed my instances of:

findNoCase("

to:

reFindNoCase("

And that fixed all my problems.