Comments on: cfqueryparam / regular expression http://bloginblack.de/2010/02/cfqueryparam-regular-expression/ Protecting the web from bad ColdFusion code (since 2003) Thu, 09 Feb 2012 08:37:29 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Charles http://bloginblack.de/2010/02/cfqueryparam-regular-expression/comment-page-1/#comment-18625 Charles Mon, 01 Nov 2010 15:39:18 +0000 http://bloginblack.de/?p=1108#comment-18625 Well, I'm not as technical oriented as you, but face a similar situation. But I ran into a little frustration trying to follow your blog. Since there is no "by" in Coldfusion REPLACE, nor in Javascript, it would have been nice to let readers also know how you actually ran the replace command against the suspect files. I hope the reader can come up with an environment for using it (depending on whether they are in Linux or Window - since you left that out as well). Maybe you used Microsoft Word? (Not available in Linux). I guess you could load the file into memory and use Coldfusion to do the replacements. Personally, I'm looking into using a Linux script for it. First I'd like to test it on some test files to see how it does. Never assume the reader that needs this has ANY background on HOW to do it. Thanks for posting this as it may be helpful to some, but if you're gonna throw a bone, try to leave a little meat on it ;-) Well,

I’m not as technical oriented as you, but face a similar situation. But I ran into a little frustration trying to follow your blog.

Since there is no “by” in Coldfusion REPLACE, nor in Javascript, it would have been nice to let readers also know how you actually ran the replace command against the suspect files. I hope the reader can come up with an environment for using it (depending on whether they are in Linux or Window – since you left that out as well).

Maybe you used Microsoft Word? (Not available in Linux). I guess you could load the file into memory and use Coldfusion to do the replacements. Personally, I’m looking into using a Linux script for it. First I’d like to test it on some test files to see how it does.

Never assume the reader that needs this has ANY background on HOW to do it.

Thanks for posting this as it may be helpful to some, but if you’re gonna throw a bone, try to leave a little meat on it ;-)

]]> By: marcus http://bloginblack.de/2010/02/cfqueryparam-regular-expression/comment-page-1/#comment-1240 marcus Wed, 10 Feb 2010 14:44:15 +0000 http://bloginblack.de/?p=1108#comment-1240 @Eric: thanks for the tip - I didn't know qpscanner at all... Does it have advantages over a grep search? I could have tweaked the grep expression using regex, but my (indeed rather simple) solution did the trick as far as this project is concerned. I just needed a list of files containing cfquery and was too lazy to replace all variables manually. If you ever needed to type on a german keyboard, you know what I'm talking about ;-) @Eric: thanks for the tip – I didn’t know qpscanner at all…
Does it have advantages over a grep search? I could have tweaked the grep expression using regex, but my (indeed rather simple) solution did the trick as far as this project is concerned. I just needed a list of files containing cfquery and was too lazy to replace all variables manually. If you ever needed to type on a german keyboard, you know what I’m talking about ;-)

]]> By: Peter Boughton http://bloginblack.de/2010/02/cfqueryparam-regular-expression/comment-page-1/#comment-1141 Peter Boughton Sat, 06 Feb 2010 16:16:09 +0000 http://bloginblack.de/?p=1108#comment-1141 The problem with the above regex solution - and the key reason qpscanner doesn't do fixing yet - is that regex can't handle CFML parsing. Some simple examples: '#this#and#that#' 'apos''#trophe#' "and '#so(on,"'")#" If people are going to rely on qpscanner for auto-fixing, it needs to be near-perfect, and that needs a proper parser rather than simple regex. The problem with the above regex solution – and the key reason qpscanner doesn’t do fixing yet – is that regex can’t handle CFML parsing.

Some simple examples:
‘#this#and#that#’
‘apos”#trophe#’
“and ‘#so(on,”‘”)#”

If people are going to rely on qpscanner for auto-fixing, it needs to be near-perfect, and that needs a proper parser rather than simple regex.

]]> By: Eric Cobb http://bloginblack.de/2010/02/cfqueryparam-regular-expression/comment-page-1/#comment-1125 Eric Cobb Fri, 05 Feb 2010 22:27:34 +0000 http://bloginblack.de/?p=1108#comment-1125 I feel your pain, I've been in that situation before. Here's a useful tool for scanning your code and telling you what queries need paraming, http://qpscanner.riaforge.org/. Although it only tells you where the problems are, it doesn't fix them for you. Your regex solution seems pretty slick, you should think about expanding on the qpscanner and making a tool that finds AND fixes your queries. ;) I feel your pain, I’ve been in that situation before. Here’s a useful tool for scanning your code and telling you what queries need paraming, http://qpscanner.riaforge.org/. Although it only tells you where the problems are, it doesn’t fix them for you.

Your regex solution seems pretty slick, you should think about expanding on the qpscanner and making a tool that finds AND fixes your queries. ;)

]]>