tracker issue : CF-4126536

select a category, or use search below
(searches all categories and all time range)
Title:

Security Analyzer - case sensitivity for <cfqueryparam>

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): David Epler / David Epler (David Epler)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Unspecified

Found In Build/Fixed In Build: Alpha3_v12 /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Win All

Vote Count: 0

Testing sample source code that had the following:

<cfquery name="unsub" datasource="#application.ds#" username="#application.un#" password="#application.pw#">
	update comments set
	subscribe	= 0,
	followup	= 0
	where commentid = <cfqueryPARAM value="#trim(url.id)#" CFSQLType='CF_SQL_VARCHAR'>
</cfquery>

The security analyzer flagged it SQLi, Error, High. There is not SQLi in the fragment, it was due to mixed case of the cfqyeryparam tag. Changed to lower case and it was not  flagged correctly.

Please make sure that other areas are not case sensitive.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126536

External Customer Info:
External Company:  
External Customer Name: David Epler
External Customer Email: dcepler@dcepler.net
External Test Config:

Attachments:

Comments:

Added By:preethi Note Added: Fix will be available in the next release. Thanks! Date Added :2015-11-21 06:23:22.0 Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-10-30 22:16:00.0
Comment by CFwatson U.
3823 | March 09, 2016 02:30:10 AM GMT