boughtonp
commented
11 years ago Not a big one - this isn't a simple thing to add.
The current scanner relies on two things that script queries can't guarantee:
- Only needs to look for hashes to identify potential user-supplied variables.
- Queries are clearly terminated; it just needs to look for
</cfquery>to find the end.
Neither of these are the case with the script syntax, and even a rudimentary implementation would require a significant amount of work.
Since I don't work with scripted queries myself, there's no incentive for me to spend that amount of time on something I wouldn't use.
Of course, if anyone wants to have a go and send in a pull request that'd be fine, or if anyone wanted to sponsor the development, that's also an option, but both of those would need to come with a big disclaimer that the functionality would be limited, and probably wouldn't cope with, for example:
sql = "select stuff ...";
if (something) sql &= "...";
...
q.setSQL( sql );
Any chance of including scans for scripted queries?:
q = new Query(datasource=mydatasource); q.setSQL( "select col1, col2, #col3# from #schema#.tblname where fee = :qpFa and foo = :qpLa and fum = '#so#'" ); q.addParam(name="qpFa", value="#val1#", cfsqltype="cf_sql_varchar"); q.addParam(name="qpLa", value="#val2#", cfsqltype="cf_sql_varchar");