1QueryParam Scanner v0.7.5
2 3 4DESCRIPTION
5===========
6 7QueryParam Scanner (qpScanner) is a tool designed to identify possible SQL
8injection risks in CFML queries, by highlighting instances of unparameterised
9variables.
10 11 12 13STATUS
14======
15 16**This is a dev version of qpScanner, see master branch for stable release.**
17 18Version: v0.7.5
19Released: 2013-01-08
20 21To check latest release, visit http://sorcerersisle.com/projects:qpscanner.html
22 23 24 25REQUIREMENTS
26============
27 28qpScanner can scan code written for any CFML engine, but itself requires
29at least ColdFusion 9 or Railo 3.x to run.
30 31To run qpScanner on older CFML engines, try v0.7.3 instead - this is available
32on branch 0.7.3 or for download from https://github.com/boughtonp/qpscanner/tags
33 34 35 36INSTALLATION
37============
38 39Extract all files to a directory in your webroot, then access that directory in
40a browser.
41 42Everything required is contained within the zip file; no mappings nor
43datasources need to be setup.
44 45 46 47ECLIPSE PLUGIN INSTALLATION
48===========================
49 50There is a separately available plugin for the Eclipse IDE, allowing qpScanner
51to be executed against specific files or directories.
52 53For more details on this plugin, check the info provided at:
54 55 http://sorcerersisle.com/projects:qpscanner.html#EclipsePlugin
56 57 58 59USAGE
60=====
61 62Upon accessing qpScanner you will see a simple form:
63 64 Directory
65 The location of the code you wish to scan.
66 This can be either an absolute path or a mapping.
67 68 Recurse?
69 Select yes if you want qpScanner to look inside sub-directories,
70 or no to only scan the files directly in the specified directory.
71 72 73Once these are set as appropriate, press Scan and qpScanner will get to work.
74 75It will look for queries with CF variables (ie: `#values_in_hashes#`) that are
76not inside a cfqueryparam tag, and - once complete - will list how many were
77found out of how many total queries, and provide a list of files and queries.
78 79 80NOTE: QueryParam Scanner should be used *only* in your development environment,
81not on a live/public box. In addition to the security risks, it might have an
82adverse affect on performance.
83 84 85 86KNOWN ISSUES
87============
88 89There is one known issue with this release:
90 91* qpScanner does not work with queries in cfscript. For more details see:
92 https://github.com/boughtonp/qpscanner/issues/7#issuecomment-11916582
93 94Visit the Issue Tracker for details of any issues that might since have been
95raised, to report any issues that you find, or to request new functionality:
96 97 https://github.com/boughtonp/qpscanner/issues
98 99100101CREDITS, VERSIONS & LICENSING
102=============================
103104QueryParam Scanner is a project created and maintained by Peter Boughton,
105licensed under the GPLv3 (read license.txt for details).
106107The project gratefully makes use of the third-party software detailed below,
108each available individually under their respective licenses.
109110cfRegex v0.1.003-qp (http://cfregex.net)
111* Source: https://github.com/boughtonp/qpscanner
112* License: GPLv3 or LGPLv3
113* Files: cfcs/cfregex.cfc
114115jQuery v1.2.6 (http://jquery.com)
116* Source: https://github.com/jquery/jquery
117* License: GPLv2 or MIT (See http://jquery.org/license)
118* Files: resources/scripts/jquery-1.2.6.min.js
119120Framework One v2.2 (http://fw1.riaforge.org)
121* Source: http://github.com/seancorfield/fw1/
122* License: Apache v2.0 (http://www.apache.org/licenses/LICENSE-2.0)
123* Files: framework.cfc
124125126/eof
