Blog

JR asked a good question on my queryparam Scanner post. He noticed that I had stopped short of saying cfqueryparam would ALWAYS stop ALL SQL injection. He said, "Can you give an example of a SQL Injection attack which is not caught by cfqueryparam ?" I'm glad you asked JR.

This April, Peter Boughton put a little tool on RiaForge called QueryParam Scanner. It does what it says and that means you have no excuse not to batten down the hatches on that old code you've got swept under the rug. It also meant I didn't have any excuses either, so I gave it a run tonight.

Zac Spitzer recently blogged about an article explaining how to hack ColdFusion. Overall the "exposé" was mostly meaningless drivel not having anything much to do specifically with ColdFusion itself. It was accompanied by an array of Code Samples that look like they were written by a third grader. One point the article made though caught my eye. It claimed MySQL would let you inject SQL into a cfquery not using cfqueryparam even if the variable was enclosed in single ticks. "Could it be?", I scoffed. Oh yes, yes it is true.

Do you know the address of the Adobe page for requesting bug fixes and product enhancements? Yes, that magical gateway of mystery and wonder that rhymes with a popular children's game. http://www.adobe.com/go/wish/