A friend, who prefers to remain anonymous, pinged me today to ask what my favorite cfqueryparam scanner was. I don’t actually use one, but when I asked him why he wanted one, I was a bit surprised by his answer.
My friend does hosting, but it’s not his primary business. He has decided that he is going to begin a policy of scanning all the files on his system for ColdFusion queries w/o cfqueryparam. He will then send emails out to all developers who have failed to properly use cfqueryparam. If the code isn’t updated in two weeks, the server will be disconnected.
What do people think about this? Too draconian? Should a host be scanning for ‘trouble’ code at all?