I know it's not enough but the point was that there has to be a priority in what gets fixed. If there are 300+ query vars to fix, which do you do first? My solution is to fix the numeric vars first and then fix everything else after. In the end it all gets done but until I get to the end, the most dangerous vars have to be hit before the 'less' dangerous ones.
It would be prefered to take the app down, fix it, and put it back up but with this client that is not an option. That means I have to work fast and smart to get the job done on a live site. Ug. :( -- Michael On Thu, Jan 14, 2010 at 5:43 AM, Peter Boughton <bought...@gmail.com> wrote: > >>The qpscanner is ok in general but I want something that will only get >>me numeric variables that are not in a cfqueryparam. > > That is not enough to protect you! > > It is not hard to create injection attacks that bypass CF's auto-doubling of > quotes. > > qpscanner deliberately errs on the side of paranoia, because it only takes > one small hole for an attacker to get in and cause havoc. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:329662 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4