It seems that while I was gone there was some noise about CF and SQL Injection. I find this a bit surprising as I thought everyone was using cfqueryparam now, aren’t they? In all seriousness, here are some few links to consider:
- Announcing the first ever International Operation cf_SQLprotect: I'm a few days late on this (let's see - Friday at this time I was downtown Austin), but Brad Wood decided that July 25th would be a good day to scan your code for sql vulnerabilities. While we should do this constantly, there is nothing wrong with doing it again, over your entire code base.
- Brad linked to QueryParam Scanner by Peter Boughton.
- Brad also linked to Daryl Banttari's scanner. </ul> Now all we need is a one stop var scope checker/queryparam checker in one tool.