tracker issue : CF-3645181

select a category, or use search below
(searches all categories and all time range)
Title:

Create Admin Option to Require Use of <cfqueryparam> Inside <cfquery> tags

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/

Reporter/Name(from Bugbase): Peter Armstrong / Peter Armstrong (parmstrong108)

Created: 10/02/2013

Components: Database

Versions: 9.0.1

Failure Type: Enhancement Request

Found In Build/Fixed In Build: 9.0.1 /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win 2008 Server x64

Vote Count: 0

ColdFusion allows parameters to be passed into a <cfquery> tag in two ways:

1)  Select * from Orders where OrderId = #theOrderId#

2)  Select * from Orders where OrderId = <cfqueryparam value="#theOrderId#" cfsqltype="cf_sql_integer">

Everyone knows that the second way is more secure against SQL injection attacks, but it is also more time consuming to code.  This means that developers don't always use <cfqueryparam> when they should.

I suggest adding a configurable option to ColdFusion that would NOT allow hashmark-quoted strings to be used within a <cfquery> tag, unless they are inside a <cfqueryparam> tag.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3645181

External Customer Info:
External Company:  
External Customer Name: parmstrong108
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

This option would help to enforce a known best practice.
Comment by External U.
14359 | October 02, 2013 09:41:47 AM GMT
I wonder if this would be better as part of a broader "CFLint" sort of thing... something that scans for / polices a number of coding policy rules? -- Adam
Comment by External U.
14360 | October 02, 2013 03:05:48 PM GMT
+1 to Adam. There is a community project - http://www.hybridchill.com/projects/qpscanner.html which does the same. It would have been cooler if this, varscoper, codecop etc were merged to create one broader project.
Comment by Rupesh K.
14361 | November 25, 2013 08:22:49 AM GMT