I am looking for a tool that will go through my coldfusion code files and add cfqueryparam's where needed. I found many that will scan and show me where I need to make changes but I found one at http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection which is pretty close to what I was looking for, but it doesn't add the cfsqltype (or maxlength). I was wondering if this still prevents sql injection without cfsqltype? If it is required (I know it is technically optional) do you know of another tool that will do this? I believe that it is important to make sure that any variables in the order by clause are parameterized also, which this tool doesn't check for.
I am thinking of buckling down and changing the code from http://www.webapper.com/blog/index.php/2008/7/22/ColdFusion-SQL-Injection to do all this, but I thought it would be wise to ask first.
Use either that tool or QPScanner to scan your code base and find queries with missing
cfqueryparmor missingcfprocparam.Once you find them, MANUALLY UPDATE AND TEST EVERY INSTANCE.
Don't cross your fingers and hope things work themselves out.
I've been through this process a number of times and I can guarantee that you should take your time updating the code correctly..