There's a project for that. I can't remember what it is off-hand, but I'm 100% sure there's a "cfqueryparam-er".cfc out there, which does this.
Maybe this one? : http://qpscanner.riaforge.org/ I think there's at least one or two more too. I should really make a note of them somewhere... It would be a good addition to codecop, too. :denny -- Time and memory are true artists; they remould reality nearer to the heart's desire. John Dewey On Wed, Jan 13, 2010 at 4:34 PM, Michael Dinowitz wrote: > > Fast question. Has anyone seen an injection attack that used a field > other than an integer? > > I've written a fast RegEx for use in Homesite (or any other regex > using editor) that will find any query that has numeric 'looking' > variables that are not in a cfqueryparam. While I have to change every > variable not in a cfqueryparam, I'm trying to get the numerics first. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329643 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
