Earlier this week I promoted the release candidate for 0.7.5 of QueryParam Scanner
to full release.
For anyone unaware, QueryParam Scanner is a simple tool for identifying
unparameterised variables in CFML queries (which may indicate a potential SQL
This version has a handful of bug fixes and code cleanups, resulting in faster
more accurate scanning than previous versions, plus the addition of JSON output
format, giving a more lightweight option if used in scripted processes.
For further details on these, see the previous RC article; other than
a couple of trivial fixes and a new readme, nothing has changed since that.
To download the latest version, you can either clone the git repo, or
grab it as a zip archive from the GitHub tags page.
For any feedback, problems, or questions, please use the issue tracker.
If you're using a cPanel-powered Apache server, there's a chance it
may not be setup in the best way.
The same issue might manifest itself in two ways: confusing error messages and
ignored htaccess directives.
In both cases, the solution is to use the ErrorDocument directive.
Find out more.
Today was the 1st June, and that means it's Regex Day again!
This annual event was started four years ago by Ben Nadel to celebrate this wonderful (yet often misunderstood) technology, and as usual Ben is running a fun regex competition, with prizes, on his blog.
If that's not enough regex goodness for you, here's a couple of projects you should know about.
For CFML developers, there's cfRegex a replacement regex implemenation providing more power and functionality than CFML's native functions, whilst being easier to work with.
Whatever your level of regex skill, both of these tools are definitely worth checking out.
I have just pushed an update of QueryParam Scanner to GitHub, containing
This update is on the rc0.7.5 branch, and it'd be nice if people could
take it for a spin and make sure there are no issues with it. (There is a
zip download for anyone without git.)
The visible changes which you might notice are:
- Added JSON output format, giving an alternative to XML for anyone using
qpscanner in a scripted process.
- Added variable for number of potential risk files, and improved related
wording in HTML output.
- Fixed bug where identical queries were causing incorrect line numbers.
- Fixed bug where query names were not being detected.
- Fixed bug where blank lines were incorrectly removed.
However, there are also significant under-the-hood changes. I removed my
obsolete "Java Regex Utils" library (replacing it with the object part of
cfRegex), and made a number of little code clean-ups.
A result of these changes is that qpscanner rc0.7.5 appears to be almost twice
as fast as previous versions.
If you have any feedback, please feel free to contact me via GitHub,
and similarly if you find any bugs then please raise them on the issue tracker.
It's been over two and a half years since my last "why railo" post, and -
despite Railo "only" being 0.3 versions on - there's
been a lot of improvements!
In fact, because it's been so long, a few of the things here are not new with
v3.3 (though they are all new since the previous article),
but are still great features that deserve mentioning!
Read on to find out what my ten favourite new feature are.