Managed Hosting



QueryParam Scanner
Project Home Blog Known Issues Screenshots External Project Link Contact Project

Author: Peter Boughton (All RIAForge projects by this author)
Last Updated: January 10, 2013 7:45 AM
Version: 0.7.5
Views: 74,939
Downloads: 8,003
License: GPL (GNU General Public License), Version 3


qpScanner is a simple tool that scans your codebase looking for queries. For every query it finds, it will check if there are any CFML variables in that query that are not contained within a cfqueryparam tag.
Once complete, it will display a list of files with queries to be checked, listing the line numbers and showing the contents of the query.

For full details please see the main project page:

If you have any feature suggestions, or find any bugs, please use the issue tracker:

v0.7.5 (8-Jan-2013)
Added: JSON output format
Added: number of potential risk files
Fixed: wording in HTML output for number of risks
Fixed: identical queries were causing incorrect line numbers.
Fixed: query names were not being detected.
Fixed: blank lines were incorrectly removed.

v0.7.4 (25-Jun-2011)
Fixed: Removed Struct function entirely; now requires CF9 or Railo 3.x
Fixed: Minor performance improvements.

v0.7.3 (25-Mar-2011)
Fixed: Now works when Railo's "Local scope mode" is set to "always".
Fixed: Client Scope checking was looking at wrong code variable. (Thanks to John Hodorowicz for spotting this!)
Fixed: Now works with attribute-less <cfquery> tag.

v0.7.2 (2-Dec-2009)
Fixed: Better workaround for CF expandPath issue.
Fixed: Renamed compatibility function Struct to Variables.Struct to avoid name conflict.

v0.7.1 (24-Sep-2008)
Fixed: IE check affecting ColdFusion didn't work.
Fixed: Win/CF expandPath fix, drive letter was case-sensitive.

v0.7 (23-Sep-2008)
Changed: Significantly faster processing.
Added: Multiple output formats.
Added: Ability to override Request Timeout.
Added: Option to specify file/directory exclusions.
Added: Option to include/exclude Query of Queries.
Added: Option to include/exclude built-in CFML functions.
Added: Eclipse Plugin for easier execution.

v0.6.1 (29-Apr-2008)
Fixed: Proper query names now display.
Added: Option to exclude ORDER BY clauses.
Added: Option to list scopes used.
Added: Option to highlight client scopes.
Fixed: Was giving false positives for cfswitch.

v0.5.2 (19-Apr-2008)
Fixed: Corrected \ to Server.Separator.File so qpScanner now also works on non-Windows machines.

v0.5.1 (17-Apr-2008)
Fixed: Was case-sensitive and found "cfquery" but not "CFQUERY". Is now case-insensitive.
Changed: Init->init in jre-utils. Enables BlueDragon support.

Recent Blog Entries:

Last Update:

QueryParam Scanner v0.7.5 released


Running the QueryParam Scanner tool requires a Java-based CFMX-compatible CFML engine (uses CFCs and Java object).

v0.7.5 requires:
- ColdFusion 9 and above.
- Railo 3 and above.

For CF8, CFMX7 and OpenBD support, use v0.7.3, available from:

NOTE: If your server is CF5 (or other unsupported), I recommend getting Railo Express in order to run the tool.

Uses three other open-source projects, cfRegex, jQuery and Fusebox, all included.

Issue Tracker:

This project has an external bug tracker. You can find it here:

Source Control Access:

This project hosts its source control at an external location: