QueryParam Scanner - a tool to identify possible SQL injection risks in CFML queries.
ColdFusion CSS JavaScript
Latest commit 42b7b88 Jun 2, 2014 @boughtonp Fix behaviour of scanQoQ option and improve check.
Was incorrectly doing an exact match on the whole query code instead of a
partial match on the opening tag only.

Fixes #13 on GitHub.
Failed to load latest commit information.
cfcs Fix behaviour of scanQoQ option and improve check. Jun 2, 2014
config Remove invalid whitespace from config. Jun 9, 2013
layouts Overhaul UI with more interesting theme and new wip logo. Jun 28, 2013
resources Increment version to v0.8-rc Jun 29, 2013
Application.cfc Update FW/1 workaround to use empty string instead of expandPath on t… Nov 16, 2013
config.ini Overhaul UI with more interesting theme and new wip logo. Jun 28, 2013
framework.cfc Upgrade FW/1 to latest RC. Nov 16, 2013
index.cfm Convert framework from Fusebox to FW/1. Jun 7, 2013
license.txt Rename gpl-license.txt -> license.txt Jan 8, 2013
readme.md Increment version to v0.8-rc Jun 29, 2013


QueryParam Scanner v0.8 (RC)


QueryParam Scanner (qpScanner) is a tool designed to identify possible SQL injection risks in CFML queries, by highlighting instances of unparameterised variables.


This is a release candidate of qpScanner, see master branch for stable release.

Version: v0.8 (RC) Released: 2013-06-29

To check latest release, visit http://sorcerersisle.com/projects:qpscanner.html


qpScanner can scan code written for any CFML engine, but itself requires at least ColdFusion 9 or Railo 3.x to run.

To run qpScanner on older CFML engines, try v0.7.3 instead - this is available on branch 0.7.3 or for download from https://github.com/boughtonp/qpscanner/tags


Extract all files to a directory in your webroot, then access that directory in a browser.

Everything required is contained within the zip file; no mappings nor datasources need to be setup.


There is a separately available plugin for the Eclipse IDE, allowing qpScanner to be executed against specific files or directories.

For more details on this plugin, check the info provided at:



Upon accessing qpScanner you will see a simple form:

    The location of the code you wish to scan.
    This can be either an absolute path or a mapping.

    Select yes if you want qpScanner to look inside sub-directories, 
    or no to only scan the files directly in the specified directory.

Once these are set as appropriate, press Scan and qpScanner will get to work.

It will look for queries with CF variables (ie: #values_in_hashes#) that are not inside a cfqueryparam tag, and - once complete - will list how many were found out of how many total queries, and provide a list of files and queries.

NOTE: QueryParam Scanner should be used only in your development environment, not on a live/public box. In addition to the security risks, it might have an adverse affect on performance.


There is one known issue with this release:

Visit the Issue Tracker for details of any issues that might since have been raised, to report any issues that you find, or to request new functionality:



QueryParam Scanner is a project created and maintained by Peter Boughton, licensed under the GPLv3 (read license.txt for details).

The project gratefully makes use of the third-party software detailed below, each available individually under their respective licenses.

cfRegex v0.1.003-qp (http://cfregex.net)

jQuery v1.2.6 (http://jquery.com)

Framework One v2.2 (http://fw1.riaforge.org)