QueryParam Scanner (qpScanner) is a tool designed to identify possible SQL injection
risks in CFML queries.
- GPL v3
- Latest Stable:
- v0.7.5, 8 January 2013
- Latest Preview:
- rc0.8, 29 June 2013
- CF v9 or above, Railo v3 or above, Lucee v4.5 or above
- (For CF8, CFMX7 and OpenBD support, use v0.7.3)
If you use an Eclipse-based IDE, there is a plugin which connects to
a qpScanner instance and uses it to scan selected files and/or directories.
The plugin also enables you to configure default and per-project settings.
It is available as a JAR download.
The current release of qpScanner has the following features:
- Finds all variables in cfquery without a surrounding cfqueryparam.
- Displays filenames, line number and query contents for all potential risks.
- Ability to scan any directory on local filesystem.
- Option to include/exclude child directories.
- Option to include/exclude ORDER BY clauses.
- Option to list which scopes any variables belong to.
- Option to highlight variables in client scopes.
- Multiple output formats (HTML, JSON, XML, WDDX).
- Ability to override Request Timeout.
- Option to specify file/directory exclusions (regex).
- Option to include/exclude Query of Queries.
- Option to include/exclude built-in CFML functions.
If there are other features you would like, please raise them using
the GitHub issue tracker.